


Institutional Archive of the Naval Postgraduate School 





Calhoun: The NPS Institutional Archive 
DSpace Repository 


Theses and Dissertations 1. Thesis and Dissertation Collection, all items 


1986 


Preventing internal computer abuse. 


Tart, Randal Gerald 


http://ndl.handle.net/10945/22044 


Downloaded from NPS Archive: Calhoun 


| Calhoun is the Naval Postgraduate School's public access digital repository for 
. (8 D U DLEY research materials and institutional publications created by the NPS community. 
«ist L Calhoun is named for Professor of Mathematics Guy K. Calhoun, NPS's first 


nN i KNOX appointed — and published -- scholarly author. 
| inp 
, LIBRARY Dudley Knox Library / Naval Postgraduate School 
411 Dyer Road / 1 University Circle 
Monterey, California USA 93943 





http://www.nps.edu/library 


ee eee ~were ap alia tl — “A 
Ree ta care te nae teresa ote Lol Melt dtriarh «ft pio te- epmaetiay Pr berth aed) ob wen ea 
; Pee rey poy ae wy tery Pee A rey APR Te at Peer Por) A wtf eee roe nah oh Cvs Fos Fo Rae ee ie 
SOLOn rete ree gery CE NTN EA Sele cing bor Rr ever irtior rn cope es. ee ore in Partie Pe erent ie Fh BI ee a y 
Se aay Ne Sato te neyo g oe en ae Pe eer ee Ree tte a arte eet REP Uae PERE N 
a 7 a a J ‘vd. of , iy 7 = 4 
re ip rye impriany aasiatt ialsoce ethers E cd or brie eispatraae ye etek rm) ’ cam 
A RTC Ue err Pere est rats mm rors a tele 
2 fe eee fe thre pot y i) hohe 6 a ra oy we MA 
5 WHI len Gs SORA eae nese rRirn Uae . hee 
Ar wana er Ce erie 
pee Aa ay 
» 


Sind» 


C3 
Ae 


ae 
eae ro at Pa rare Vers poate” Salevia Sa al 
, S 17 PC Oe Ye eer re Fre UNG ae ‘ Rete Ten Tears Aer. Sead 
=] 5 5 ar O s yi " - hes Leal aL bid ; - , 
ee te eR a eR oe eT tre ipa rig vee cables em SC En Naat ane ea a rR 
ee yt) ee TLD Scales) roe ‘i yg Ta: ny vas xh ae rt 5 
een GL ae hoe ert ery te” OT,  - Cy ee ee Hy nt ey Q a Ptr 
i s . ‘ 
4 . = rr Py 7 Wari ho nL 7 r rn the 
TT bd bd G : le Pi ra rae ~ ; <j <I qj 
el aT i. Q ins 5 - tA! MU 
4 2 é pias sie ee e A i P agree lp yelper Cee 


CT hed ty Li 
ria] hy Lb a 0 = 4 C ee 
is ae ol) Lida - I 7 fe t oo ip 
y eee rete tH a beac SY Pega v neo Me prt os 
& 


ew 


Ch RPL tian PT we ae hate 


Pt a ’ D as 
3 4 SS < PTO Thee ty to.) rd Se rin) » 
et ae ey ee eed A pee ste treet A ncpde y 
le eee ON eee Aa ate I dated vine Pet Pee fd she 
mad falens BRAD Ow a ped poe Sar ey ts p 
Ie eed ren A 
eave 


r ry 
ree Ae 
as a. ty = 
Toes NN ea al 
Ree ee tL 
cen 
Ce eee ae 
tots 


oe a dental eet 
0 fone 
er. 


F . a 
rr ma PY ei id 
om ae re oe ee ee oe ee 2 z oe ee 
» . PT Or een te sen hah leer ee tee tn > Deo Ret 0. 4 Mb ree 5 
Re erecy 6 bars 7 eee Rees ers ee eS eee POPE RLY, 


LU 
A Cen RPL eee phd ; 
es ee et tah Aires chats bab. Ahing A eta Ro MWOSY @ Pe a ee 
ert ye We ee ae th ee an Partial. “4 Pe we ee ea te a a mek r 
er eT Oe a sent grt Dol Depot Mo pep ere PT a as Be nL en al mnie 
* i diag ee ee es re aL te Mike in eater aera aa Bend tp aetna bertelet ye a 
; p 5 he P Py PE I ee ee asain Wun e-o eae re Fa Oth lea als ete oder ns 
BT re A +2 a, r - bere Cee ee ae oh ta alah ne epee atapdir Pn a MTD Oat 8 pS ea fia Be Ae re 
» Me Sutes bg Se ee et oe ote ale mere 4 or Al rr aaron te ae ne YO nar ge dee ear 
Y or y ” Pe es eee te Sey, Coe ee aah api nEp wr pe ee 
depletes Nee eee hile aire teh ee ow Ce ee eer 
Fa tah eae in et Sheen feat ae Pred otis 4 
or Ah DRA ROE a 


eR 


ee ee 


Pete 
* 
oT 
we a tS ao 
Pe oa eek tin o 
n Ce aed F a ’ 


ares 
ae a ees en PE a a et orn 





* 
tobe 
3 o 
a r f a 
Sass 
_ ” * a a a ce ra 
r a “ ap) Mure Aaah are % da Pee aMer'e ray' 
. P er , x 
r 2 to - Cae i ev. eae ry re e hat pagina = ba 
Saeed eek ta ad beh d aT rr = - oe eo) ney ae ee re ry 7  ) P 
=. e ae Pee & Bri er hy pe oettidean ye of 4 pe a. a bond oe at N an Ss - ey 5 
~~ Par wnt re Pern: i a th emg Ctl te Mn) Pv = ro a a ae) ad 4 ~ rd re re ree ee ' th a bg 
Seat te ee eh dena deg a pia ke a Se ee eer wen. ¢ ’ fo ry nm . Pee rs Pa a ee ; 
+ aay rata fe ks 8 tt at ela Cantata ot rs et ree, dee os a Pane oe pe ea Po ere ee, er Orem, * ° at TS l= 6e os 9-8 p-peton| Pe eran - 
te ier ately ode Aaarlietans ain cal cata a m* oon eget ~ Oe le ed ri cs oe a ’ + ilies Sear ~ Pi ae AD ada ae neta a - eM, stehn'y Pity t™ M9 
en ar ts oe ear peared ed et = Cad i caee. sill . - rons Ore ae = imide adap ened a ihe apd oe ore oe es ete z = \ “eee yin Seer ee ene habe 
oo 5 ae een a ‘i Por Cea! a Ce a dentate tnd si r 
<5 IG Bote Becta ise fm wy CC ae Ce ee es “ae ee ae ow a ed leet an 8 1 fe ae ~ = ed = atte } Aa ad ee Reso ove? ee a we lee PR 
i. ES a ee | ate hs ed > ee Per tte ow. _ * a Pe a “a i Py ~ + Pe Fatt + eee be SO ieetitinniar tina eae ae ieee pee ay 
real elt eaee onl ala . Au — mn. a add ~ ~# ra) ad a Py r m7 ” be . See = er her % en a penis t) am be Se te aoa 
a nae ein peer om Nn alll hh ci ’ re ary Ps Pa = a F _ -— be : tote a8 OR ne i Se eee ahh Cire baien me Nar ow tare A tet SOMO 
— - es « S Y ce HO T ae 7 D : 
ye bee agi - Ce | “ “es oe = ee << a = = be b= * endle . 2 Pe ~ ‘aaiees i Pome co “es oa . er on ee at = —$ Beene me or 
i - oe . rs yy a Sa -~ a sy a —_ ~ ed e 
aa Fs . taal aye nore oh i dd st P Saad rs = ny f as aa Sal e = aes ne aw 5. 
‘ of ca ore ae St Datla rd ne sale A se = “ie — Md a an ad ~ ~ a beer De - Fe ~ 
mato “ paren col ee Cd dali a ba * a ‘er Ca - -Y a tert Ae ft) ed caer each iaetinietiacaadiat 
tics al +. e Mes - # ah daniel aed eo eee Pe Daat is A Pye sy " a A BY Ye to%e & ~ ag eee 
r ad - o> Sa 
Cee ght Pele . “A rs ea Pe 2 om z . sac i oe bE: we Hl oe < ~ ead y Hy oe 
ay “7° co oe So re. rs cy : A Pm ae = 
a awe tev atece wtcKer 8/68 changes ea _ a, * 4 a oy -! Rep % nt, hae vag re a a 
ae =a - ~ 7 oi Pa = - r Bs 4 wen roe " aye ~ es 
man ie OP oe Pr - a one e a a - L an 4 ar me ~~ wet) = See tee 
Pag | and ~ a5 a od oa] ba ‘ an | acy = Ne 
A - fy pe s 6 a Pa stn ans Se salem athe 
pe an! wor 4 we aad 4 C a i. - = oa) % vn 
pars 7 a oe wa 5 ae ba Ce ated *~ ae 
* Pd -~ * - m Ca tee a 
a a FP Fi = a ° Ld ~~ a] 
— on & PY = - ¢ ~ ~ * pa 
. a celine 
- r be all 
Sa o - e be ein! 
line) sg ee £ oa A 
- ~ Pa 
ee is Pa el - 
Cad = . 
” ~er =, 
° 
ba 
2 re Sw e 
i rs 
s 
J 2 > 
I 
ti 
o 
a 
4 
< s 


DUDLEY KNOX LIBRARY 
NAVAL POSTGBADT ATH scHOOL 


MONTEREY, CALIFORNIA 93945-5008 

















NAVAL POSTGRADUATE SCHOOL 


Monterey, California 





Ire SIS 


PREVENTING INTERNAL COMPUTER ABUSE 
by 
Ramdal “Gerald Tart 


December 1986 


Thesis Advisor: Norman R. Lyons 





Approved for public release; distribution is unlimited 





UNCLASSIFIED 
ECURITY CLASSIFICATION OF THIS PAGE 





REPORT DOCUMENTATION PAGE 


‘a REPORT SECURITY CLASSIFICATION 1b RESTRICTIVE MARKINGS 

| UNCLASSIFIED 

2a SECURITY CLASSIFICATION AUTHORITY 3 DISTRIBUTION? AVAILABILITY OF REPORT 

| Approved for public release; 
1 DECLASSIFICATION/ DOWNGRADING SCHEDULE ieee ate. We onlimited 

$ PERFORMING ORGANIZATION REPORT NUMBER(S) S MONITORING ORGANIZATION REPORT NUNGER(S) 





| 


139 NAME OF PERFORMING ORGANIZATION 7a NAME OF MONITORING ORGANIZATION 


6b OFFICE SYMBOL 
Gf applicable) 












Naval Postaraduate School] Code 54 Naval Postgraduate School 

x ADDRESS (City, State, and ZIP Code) 7b ADDRESS (City, State, and ZIP Code) 

Monterey, California 93943-5000 Monterey, California 93943-5000 
- NAME OF FUNDING/ SPONSORING 86 OFFICE SYMBOL 9 PROCUREMENT INSTRUMENT IDENTIFICATION NUMBER 


| ORGANIZATION (lf applicable) 





ie ADDRESS (City, State, ard ZIP Code) 10 SOURCE OF FUNDING NUMBERS 


PROGRAM PROJECT TASK WORK INIT 
ELEMENT NO NO NO ACCESSIGN NO 





1 TITLE (include Security Classification) 


PREVENTING INTERNAL COMPUTER ABUSE 





2 PERSONAL AUTHOR(S) 


Tart, Randal G. 
Ja TYPE OF REPORT 135 TIME COVERED 14 OATE OF REPORT (Year, Month Day) |!S PAGE COUNT 
Master's Thesis PoOM eae 1986, December 106 


6 SLPPLEMENTARY NOTATION 


} COSATI CODES 18 SUBJECT TERMS (Continue on reverse if necessary and identify by block number) 


“a Internal Computer Abuse; Employee Computer Abuse; 
| ne Top Management Control of Computer Abuse 
ee 


9 ABSTRACT (Continue on reverse if necessary and identify by block number) 
American businesses lose millions of dollars every year through com- 


puter crime perpetrated by company employees. Most of these losses are 
the direct result of inadequate corporate security programs. They could 
be eliminated fairly easily if organizations would employ common sense and 
relatively inexpensive remedial actions that range from the mostly br@ad- 
based and non-technical efforts of top management to the very specific 
and technical measures inherent to lower management levels. This paper 
deals specifically with the steps that should be taken at the top manage- 
ment level. It proposes that top management must first develop a better 
understanding of the nature of the criminal threat and effect an ethical 
business environment that will detect/deter/prevent abusive inclinations. 
Top management must then ensure that a sound overall security program is 


10 DS"RISUTION/ AVAILABILITY OF ABSTRACT 21 ABSTRACT SECURITY CLASSIFICATION 
CS CNCLASSIFIEOAUNLIMITED (J SAME AS RPT CJ OTIC USERS Unclassified 

2a NAME OF RESPONSIBLE INDIVIDUAL 22b TELEPHONE (include Code) | 22c_OFEICE SY L 

Prof. Norman R. Lyons (A085 ° 64 “S608 code 54th 

JO FORM 1473, 84 MarR 83 APR edition may be used unt exhausted SECURITY CLASSIFICATION OF TAIS PAGE 


Allotner er eae are obsolete UNCLASSIFIED 


UNUDAOOLE Lov 


SECURITY CLASSIFICATION OF THIS PAGE (When Data Entered) 


4 19 = ABSTRACT = (CONTINGED) 


in place as a framework within which specialized 
SeCCUrIEY CONErOlS can ana Muse Lunce 16. = marys 

top management must initiate specific security controls 
and ensure that subordinate levels of managers follow 
Suit. 


S/N - LF- - 
0102- LF- 014-660) 2 UNCLASSIFIED 


a 
SECURITY CLASSIFICATION OF THIS PAGE(When Data Entered) 


Approved for public release; distribution is unlimited 


Preventing Internal Computer Abuse 


by 
Randal Gerald Tart 


Major, United States Army 
B.S., United States Military Academy, 1972 


Submitted in partial fulfillment of the 
requirements for the degree of 


Dao be ReOr oeClRNCe IN TNFORMATION SYSTEMS 


from the 


NAVAL POSTGRADUATE SCHOOL 
December 1986 


ABSTRACT 


American businesses lose millions of dollars every year 
through computer crime perpetrated by company employees. 
Most of these losses are the direct result of inadequate 
corporate security programs. They could be eliminated 
fairly easily if organizations would employ common sense and 
relatively inexpensive remedial actions that range from the 
mostly broad-based and non-technical efforts of top manage- 
ment to the very specific and technical measures inherent to 
lower management levels. This paper deals specifically with 
the steps that should be taken at the top management level. 
It propeses that tcp management must first develop a Setter 
understanding of the nature of the criminal threat and 
effect an ethical business environment that will 
detect/deter/prevent abusive inclinations. Top management 
must then ensure that a sound overall security program is in 
place as a framework within which specialized security 
controls can and must function. Finally, top management 
must initiate specific security controls and ensure that 


subordinate levels of managers follow suit. 
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LI. INTRODUCTION 


"Computer abuse" has been broadly defined as any 
incident associated with computer technology in which a 
victim suffered or could have suffered loss and a perpetra- 
tor, by intention, made or could have made gain [{Ref. 1}. 
For purposes of this paper, it is more restrictively defined 
ae=yeny activity “nwhich a "computer system™is used by*’an 
employee to commit fraud or theft or to deliberately misuse, 
alter, destroy, compromise or sabotage any organizational 
assets, including data and information. Nobody knows the 
amount of computer abuse that 1S occurring in the United 
Seeees, because much (probably most) of it goes undetected, 
and there 1s some evidence that less than 15 percent of that 
which is detected is ever reported. [Ref. 2] 

There is also fairly widespread disagreement among 
computer security "experts" about the extent to which 
computer abuse should be considered a problem in 1986. For 
example, a survey of 130 prosecutor's offices in 38 states, 
conducted by the National Center for Computer Crime Data, 
revealed that, last year, criminal charges were filed in 
just 75 cases of computer abuse reported in those jurisdic- 
tienes . In dollar terms, those incidents totalled only 


$936,000 in system and data destruction. Another $551,660 


were lost in program and data theft and $105,170 in cash 
theft. [Ref. 3] 

Other surveys, however, suggest that the instances of 
actual computer abuse are not fairly represented by the 
number of cases that are reported and prosecuted. One such 
survey, conducted by the American Bar Association (ABA) for 
the same time period (1985) found estimated ". . . losses of 
$20 million to $45 million in the past year and said that 
nearly half the government agencies and businesses queried 
have suffered computer [fabuse]." [{Ref. 3] As can be Seen, 
the ABA loss estimates are significantly higher than those 
Suggested by the National Center for Computer Crime Data 
even though both surveys included as computer abuse any 
incident that invoivec computer tsehincio@y and Sisreqgaeeeae 
the source (internal or external) of the abuse. Still, even 
the ABA numbers pale in significance when considered in the 
context of a trillion dollar annual economy. 

Dr. Jay BloomBecker, the Director of the National 
Computer Crime Data Center, agrees that the estimated dollar 
losses are relatively insignificant when compared with the 
annual national economy. Also, he agrees with the ABA that 
most instances of computer abuse are not reported, but he 
contends that the ABA statistics are probably too large. 
The findings of his organization indicate that, today, 
American companies have done a reasonably good job of 


countering computer abuse by reducing both the number of 


incidents and the size of individual losses. He says that 
his organization refuses to get "caught up" in the numbers 
game that is played by so many experts in the field. ([Ref. 
a 

The reason that Dr. BloomBecker is unwilling to play the 
"numbers game" is that he feels the amount of money lost to 
computer abuse may be relatively unimportant. It represents 
only one aspect of the computer security problem. There are 
other, non-quantifiable, aspects that may be of even greater 
importance than just the dollar-size of the losses. In some 
cases, the quality of the losses of computer crime may be of 
paramount importance. For example, the potential loss to 
hostile intelligence agencies or through industrial espio- 
nage is incalculable in dollar terns. 

In fact, the "quality" aspect of the computer losses 
represents such a tremendous potential risk to American 
information systems that it was recently addressed by the 
Department of Defense: 

On Nov 11, [1986], the Pentagon confirmed the worst 
fears of the information industry: It served notice that 
it intends to apply sweeping new controls over the 
contents of computer data bases to stem the flow of scien- 
@utic, teehnical, and economic information to the Soviet 
moc... fixet. 5 | 

In this instance, the Pentagon is not really concerned about 
the dollar value of the information taken. It is, instead, 
so concerned about the quality or sensitivity of the stolen 


information that it has taken some rather drastic steps to 


Step the flow. The Business Week article, of which the 


above quote is a part, went on to say that "jaws were 
hitting the floor all over the audience" as Diane Fontaine, 
head of the Pentagon's information systems directorate, 
startled a meeting of the Information Industry Association 
with a pronouncement that the Reagan Administration is 
studying ways to censor public data bases, even though the 
information contained in them may be unclassified and 
readily available elsewhere. [Ref. 5] 

Computer data bases are the primary aim of the Adminis- 
tration's security efforts because they are considered 
". oo. . gold mines for foreign agents." (Rete 5) In the 
intense international competition for advanced technolosy, 
access to protected data files can often prove to be a dis- 
tinct advantage to unscrupulous but sopnisticated individ- 
uals or organizations capable of exploiting the benefits of 
information painstakingly accumulated by others. To the 
dismay of the American Civil Liberties Union and many 
business leaders, the former National Security Advisor, John 
Poindexter, issued a memorandum on November 5, 1986, giving 
federal agencies unprecedented powers to suppress informa- 
tion under a new sort of security classification, called 
"sensitive." Under this "classification," federal officials 
may refuse to divulge even unclassified material relating to 
national defense or foreign policy. (Ref. 5] Also, 
according to an Associated Press article, other more 


restrictive controls are expected to be included in a 
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pending 1987 Presidential executive order that will tighten 
tiom@latLon 8Security still further by such measures as 
requiring better and more frequent background investigations 
and, possibly, stationing Defense Investigative Service 
agents permanently inside large defense contractor plants. 
(Ref. 6] 

It is in this sense of the "quality" of computer abuse 
that Dr. BloomBecker believes that the proper focus of 
computer crime statistics should not be so much toward 
showing that computer abuse is a BIG problem, but rather 
that they be used as a tool to assist in eliminating the 
potential for abuse. For example, the Computer Crime Data 
Center has found that four of the top five abusers of 
computer svstems are individuals who are “internal” to and 
working for the victim organization (these include full-time 
employees, part-time employees, consultants and 
contractors). [Ref. 4] So, while many organizations are 
currently focusing much of their attention and resources on 
the oft-publicized "system hacker," or external intruder, it 
appears that the major danger may be freely admitted into 
the organization every day. 

As suggested by the more restrictive definition of 
computer abuse, this thesis deals with the threat of infor- 
mation system abuse posed by organizational employees. The 
author agrees with Donn Parker that ". . . computer abuse 


and crime are [not] out of control or that they have reached 


Jee 


epidemic or calamitous proportions." (Ref. 2] Instead, it 
is believed that significant potential for computer abuse 
does exist in many individual organizations, mainly because 
of neglect of necessary security countermeasures by those 
organization's top management. This belief is supported by 
Peggy Watt, a correspondent for Computerword, who writes 
that only 43.3 percent of the organizations queried by the 
American Society of Industrial Computer Security even had a 
computer crime policy and still fewer (only 38.2 percent) 
had a model computer security program. ([Ref. 3] 

This thesis posits that those organizations that are not 
formally addressing computer security issues are leaving 
themselves open for apuse. It suggests that every business 
that employs computer assets needs a security program to 
help protect themselves against abuse, and especially that 
abuse generated by "insiders." Further, it suggests that 
the best countermeasures--the most cost-effective--are the 
practices and procedures already in place in most organiza- 
tions. Proper employment of these basic managerial tools 
will greatly reduce the potential for computer abuse. 

As a way of addressing computer security issues in the 
most straightforward and common sensibly correct manner 
possible, Ron Weber suggests that organizational leaders 
should view the computer security function as an "onion" 
whose layers of skin constitute the various levels of 


management and applications controls needed to adequately 


Zz 


protect the information system. In his book, EDP Auditing, 
he pictures the "onion" as shown below [{Ref. 7]. Forces 
that erode the inner core (data integrity, asset 
safeguarding, system efficiency, and system effectiveness) 
must first penetrate the outer control layers. Weber says 
mae tO ". . . the extent that the outer layers of 
control are intact, it is likely the inner layers of control 


Tapereoe ancact.” fRef. 7:p. 24] 
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This thesis will discuss Weber's outer layer of 
CONnerOlS. More specifically, it will discuss the things 
that top management must consider and do to ensure that 
Weber's outer layer of security is intact so that it can be 
assured that the inner layers will be intact as well. The 
focus will be toward top managerial actions needed to secure 
the organizational computer assets against internal abuse. 

Thus, in the chapters that follow, a process is des- 
cribed that will ensure the existence of a solid foundation 
on which a viable computer security effort may be built. 
The process first defines the possible sources of internally 
generated abuse and provides a profile of the "enemy" 
against whom the program must be targeted (Chapter ITI). 
Then, in Chapter III, the necessity of an ethical business 
environment in EDP organizations is discussed. Afterwards, 
a description of the makeup of an overall security program 
that will serve as a framework within which specialized 
control measures can and must function is made (Chapter IV). 
Finally, in Chapter V, specific top management-initiated 
controls needed to extend the framework and to prevent, 
detect, and deter internal computer abuse is detailed. It 
1s cogently argued that top management must get intimately 
involved in each of these areas and lead the security effort 


to success or it will likely fail. 
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fi. THE SNe 


A. INTRODUCTION 

As stated in the previous section, the present focus is 
on securing a sensitive computer system against internal 
abuse. In order for top management to properly direct the 
organization's security effort, it must first have a good 
understanding of the nature of the internal threat. This is 
particularly important in the computer systems’ arena 
because, normally, the threat is not easily identifiabie. 
Generaily, the computer abuser 1S a current and, vorobablv, a 
well-regarded employee. Many managers have been shocked to 
Giscover that a highly trusted colleague, verhaps even their 
Paewuaavemorning golfing partner, “doubled™ as their firm's 
greatest criminal threat. 

In this section, a profile of the "enemy" is established 
in order that top management will know against whom the 
security effort must be targeted. The discussion first 
looks at the types of computer criminals that have been 
identified and shows that each of these types represent 
Significant internal threats to the computer systen. ee 
then concentrates on the most likely threat to most 
organizations, the amateur computer criminal, and provides a 
general description of this type of computer criminal and a 


discussion of why otherwise good employees might begin to 


DS 


abuse the computer system. Finally, because the thrust of 
the security effort described is against the amateur 
computer criminal, other important characteristics of this 


type criminal are discussed in some detail. 


B. PROFILE OF THE ENEMY 
1. Types of Computer Criminals 

Donn B. Parker, probably the most widely published 
authority on computer crime, writes that computer criminals 
may be categorized into one of seven types. These include 
extreme advocates, governments, system hackers, career 
criminals, deranged individuals, criminal organizat ons, ane 
amateurs. Parker says that each type is mutually exclusive 
in® > charactoameouc, by changing “His/ier “charaezer:, an 
individual may change from one type to another. PRet. “Zp 
106] 

Top management must be concerned with all these 
categories of computer criminals and, depending upon the 
purposes of the organization and the degree of sensitivity 
of the information processed on its EDP systems, it must 
take appropriate steps to combat the threats posed by them. 
For example, agents of foreign governments do pose signifi- 
cant internal risks to many computer organizations, as seen 
by the fact that Soviet KGB ". . . scientific collection 
orders have targeted dozens of American firms and over 60 
universities" [Ref. 8] for high-technology information. 


Also, several European terrorist organizations have 
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specifically marked computer organizations for elimination, 
and there is considerable evidence that some of their most 
successful attacks have been linked to internal operations. 
Peer. 9} 
2. The Amateur Computer Criminal 

However, while each of these types of computer 
criminals pose significant threats to information systems, 
the one that is considered to be the most dangerous is the 
amateur computer criminal. This belief is based on Parker's 
1982 statement that most ". . . reported computer crime so 
far has been verformed by amateurs" (Ref. 2:p. 107] and on 
his subjective ovinion of the relative level of threat posed 


by each type of computer criminal, as shown in Table 1. 


TABLE 1 
RELATIVE THREAT LEVELS 


Past Threat: 


Sounee Of Threat All Computer Crime 
Amateur Criminals Farah 
Deranged Individuals Low 
Career Criminals Low 
Organized Criminal Groups Low 


Extreme Advocates 


- Economic Low 

- Religious Low 

- Political Medium 
Foreign Powers Low 


oemre@e: [Ref. 2:p. 277] 


i 


A quick glance at a listing of the occupations of 
the perpetrators of all 293 cases of computer abuse reported 
up to (but not including) 1975 seems to verify Parker's 


subjective judgment: 


TABLE 2 


PERPETRATORS OCCUPATIONS 


EDP employees Persons Cases 
Computer maintenance engineers 99 5 
EDP employees (undesignated) 87 60 
Programmers a2 Zo 
Computer operators 24 So 
Keyounch operators iy 3 
EDP managers 6 6 
Systems analvsts 3 3 
Tape librarian A E 


Non=EDP People 


Nonemployees oo 33 
Students 49 31 
General managers and vice presidents 17 16 
Accountants 8 


Clerks, assistants 

Law enforcement officers 
Political rioters~-nonstudents 
Auto driving school owners, employees 
Claims personnel 

Presidents of firms 

County commissioner, supervisor 
Insurance agents 

Salesmen 

Physicians 

Army officer 

Chief buyer 

Controller 

Auditor 

Mayor 

Messenger 

Order entry clerk 

Pharmacist 

Public relations specialist 
Real estate broker 

Company secretary 


Pee Pee RPP Ae Me NUM NN WWW oO 
PRPRPRPPRPRPRPRPRPRPNNNNNEFNWWUD 
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TABLE 2 -— (CONTINUED) 


Non-EDP People Persons Cases 
Head teller ile 1 
Senior airline official T i 
Senior analyst il i 
Non-EDP employees undesignated 6 4 
Undesignated 66 


source: PRen 7: pee 5 


As can be seen, most computer abusers are otherwise ordinarv 
Beepter in positions ocr trust. They may possess special 
computer-related skiliis, knowledge, and resources or thev 


ieyeenOe--1G 1S Significant to note that only 42.7 percent 


(125/293 = .4266) of tne total cases were perpetrated by EDP 
employees. More often, the cases involved non-ZDP employees 
ema, esnecuentiy, these individuals cccupied high-level 


a 


mManagement-type positions and colluded with EDP-skilled 
persons [Ref. 2:p. 277], which accounts for the large number 
of people involved in many of the cases. 

The breakdown demonstrates fairly clearly that the 
computer abuser who has been most identified and reported is 
overwhelmingly an amateur criminal. Parker suggests that 
about the only difference between those that are identified 
and reported and those that are not is that the former made 
mistakes in their crimes that led to their capture [Ref. 
2a, «=o 277}. It is a fairly safe assumption that most 
unreported, as well as reported, cases of computer abuse are 


perpetrated by amateurs. Thus, the amateur is the primary 
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concern of this paper and his/her profile will be developed 
more fully in the following paragraphs. 

Amateurs differ from Parker's other types of 
computer criminals in the following respects. They are not 
abnormal psychologically. Since they normally § have 
authorized access to the system, they are not trespassers, 
as are system hackers. They do not depend on crime for 
their livelihood. They often do conspire in their crimes, 
but normally not to the degree that they could be classified 
as organized or government-sponsored criminals. Amateurs 
are generally not extreme advocates for any cause other tnan 
resolving tnelr own personal problems. 

Their problems include money, family, drug or 
alcohol addiction, gambiinog, or woOrte==Ilecoq mee fagc (aa 
perhaps created by the stressful environment in which they 
MNUSt function: They often consider their problems to be 
unshareable and find that violating their trust or using 
their special capabilities is a means of solving their 
problems. Other individuals may have a need to obtain 
personal goals not in consonance with the organization or to 
satisfy egotistical drives by means of malicious acts. 
Thus, amateurs may perform a wide variety of white-collar 
crimes or violent crimes such as sabotage. They are not 
necessarily extremely intelligent, but usually they are 


expert in the functions of their acts. (Ref. 2app-900/—-feay 
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C. OTHER IMPORTANT CHARACTERISTICS OF THE AMATEUR COMPUTER 
CRIMINAL 


As mentioned, amateurs have traditionally posed the 
greatest threat to an organization's computer assets. It is 
the amateur computer criminal that is the primary "enemy" 
against whom the security effort must be targeted. So, in 
the discussion that follows, some additional characteristics 
of the amateur computer criminal will be enumerated. Top 
level managers must consider these characteristics when 
formulating their security program and controls. The 
characteristics are mostly borrowed from Parker's Crime Bv 


Computer and 


WW 


re pasec on findings of the Stanford Research 
Institute. They include the following areas. 
i. age 

Perpetrators are young, eignteen to thirty years 
old, except those in management positions who tend to be 
somewhat older. This is not surprising, considering that 
the age of all computer personnel is lower than in most 
other occupations. However, while not surprising, the 
youthfulness of the criminal relative to the high degree of 
trust inherent to EDP positions has often been a significant 
factor in computer abuse cases. The desperation frequently 
associated with the very stressful EDP environment combined 
with the courage, recklessness, and self-confidence of youth 
appears to be a risky mix. Also, behavioral scientists 
suggest that the younger the person, the greater his cyni- 


cism about managers and jobs; excessive cynicism encourages 


Ze 


unethical behavior on the grounds that "I'd be a fool not to 
if everyone else is." (Ref. 10] 
2. Gender 
Women generally have not been as susceptible to 
computer crime as men. When they are involved, they tend to 
be keypunch operators or clerks and are working in concert 
with others. 
3. Rationalization of Misconduct 
"Discovered" perpetrators often put more energy into 
rationalizing their criminality than they did into perform- 
ing@eese They work very hard to reduce the element of 
criminality in thelr motives. They can argue convincingly 
that their misconduct was reasonable under the circum- 
stances. Their acticns were designed to cause the least 
harm to the least number of people and, yet, still success- 
fully solve their problems. 
4. Unintentional Criminality 
Amateur computer criminals generally feel very bad 
about violating the trust inherent in their positions, and 
they almost always intend to restore or make up for the loss 
suffered by the victim. However, they often find that com- 
mitting the crime was easier than restoring the status quo 
in an undiscovered way. Many computer embezzlers conceived 
of themselves as borrowers (vice thieves) since they fully 
intended to return the money. Those that "borrowed" money 


over a period of time, later discovered that there was no 


22 


Way tO return it and, thus, in their minds, became criminals 
without intending to do so. 
5. Personal Characteristics 
Pempetrators are wusually bright, eagerP™ highly 
motivated, courageous, adventuresome, and qualified people 
willing to accept a technical challenge. They have exactly 
the qualities that make them desirable computer systems 
employees. Thus, desicning safeguards under the assumption 
that potential perpetrators will not be aware of the techni- 
eieemntrrecacies 1S aWfutile Gxerciise.” The "principal ‘threat 
against which protection is required is the verpvnetrator who 
knowS as much about the system as the designers. 
6. Social Mores 
Prec our cempG@cer 8friminals® tend “Ser diitrerantiatse 
between doing harm to individual people, which they feel is 
immoral, and doing harm to organizations, which they 
believe, in some circumstances, is not immoral. Often they 
claim that they are just getting even for the wrongs that 
the organization has done to themselves or to society. 
7. Feelings Toward Employer 
Some form of disgruntlement with their employers is 
almost always present among amateur computer criminals. 
They generally identify with their technology to a greater 
degree than with their employer or the business activity. 
Thus, high stress and discontent are quite common as EDP 


prEeereeseonals try te do their jobs, stay abreast of a 
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rapidly changing technology, change practices and procedures 
to incorporate advancements, and deal with managers who are 
lacking in skills and/or understanding of new computer 
technology. 
8. Greatest Fear 

Perpetrators most strongly fear unanticipated 
detection and exposure. They are generally white-collar 
types for whom the exposure would cause great embarrassment, 
loss of face and prestige among their peers and families. 
The importance of this characteristic is that detection, as 
a means of protection, is at least as imvortant as 
prevention. 


9. Programmers 


Pregrammers appear 0 be somewhat suscentible ‘to 


becoming abusive toward the computer system. As indicated 
by Table 1, roughly 103 (29/293 = .099) of all "@a@ee5 
reported up to 1975 were perpetrated by programmers. This 
ls caused by several factors. Programming can be a most 


overwhelming, intense, and challenging activity that can 
obscure many other values. The development of software is 
an exercise that is rife with opportunities for criminal 
misconduct. Finally, some programmers get so immersed in 
their work that they lose all contact with reality. They 
are called computer "bums" and will sit riveted and 
transfixed to a CRT for 20-30 hours at a time, barely eating 


ae ae They are compulsive and susceptible to misconduct. 
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When programmers are involved, they often work in collusion 
with others. 
lOnweeecolLlusion 

AfMaceurs often collude with others in performing 
Eieare criminal acts. One study of 50 incidents, involving 
losses in excess of $100,000 each, showed that collusion was 
involved in 39 percent of the cases and 32 percent of the 
losses {Ref. 12:p. 28]. This is because the computer crimes 
With the greatest potential rewards often require more 
skills, knowledge, and access than any one individual may 
possess. Collusion tends to involve a technical person who 
Can perpetrate the act and another person who is in a posi- 
Prone tose translate the act into some form of gain. The 
differential association theory, which states erate 
perpetrators' acts tend to deviate only slightly from the 
accepted and common practices of their associates, applies 
strongly in explaining collusion. A group of people working 
together will sometimes tend to reinforce one another in the 
Minor unethical acts that can grow to serious acts (e.g., 
they'll take home pencils today, paper pads tomorrow, and 
peecket calculators the next day). [Ref. l:pp. 41-51] 

11. Ethical Breakdown 

In Fighting Computer Crime, Parker describes another 
characteristic of the amateur computer criminal that has 
been repeatedly observed and that is noteworthy. This 


characteristic manifests itself in the form of those 
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individuals who are known to possess high ethical standards 
and yet who have learned to ignore them in a very technical 
environment that treats employees equally regardless of 
their ethical values and in which abusive acts can be easily 
concealed. Such a situation describes exactly the environ- 
ment surrounding a sensitive computer system and, not sur- 
prisingly, Parker says the numbers of these individuals 


". . . is growing as the percentage of assets and asset 


records processed by computers increase." [Ref. 2:p. 15] 
12. Other Characteristics 
Brian Starfire, a Washington, D.C., comouter consul- 


tant, recently confirmed in his nationally svndicated column 
much of Parker's description of the computer criminal. 
QUGELINng THER Ti rsewaAneuau matistical Report," Swhich we 
based on the 75 reported and tried cases that were studied 
by the National Center for Computer Crime Data, Starfire 
also writes that most non-student criminals are 22 to 30 
years old and occupy programming positions (just over 14% of 
the survey sample), followed by data entry clerks and bank 
tellers. Further, theft of money was the most common type 
of crime (45% of the total), with theft of software or data 
and willful damage to software (combined at 16%) being the 
next largest areas abused by the amateur. The only other 
Significant single area of abuse was theft of services which 
represented 10% of the total computer crimes reported. 


[Ref. 11} 
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IDE SUMMARY 

The amateur computer criminal is the primary "enemy" 
that must be targeted by the computer security effort. The 
amateur commits the majority of the abusive acts against 
computer systems even though he/she is not expert in 
criminal activity. Amateur computer criminals are particu- 
larly difficult with which to deal because they are not 
readily identifiable and because they are, for the most 
part, otherwise good citizens and employees. They are 
generally insidious and sossess most of the qualities and 
SeerPeourtes that are found in the organization's very finest 
workers. Stemming their abusive behavior without éemploving 
Swemly restrict#ve and counter=-oroductive safequards or an 
See srment= ct @isteust &@s a €ormidable task. ih the 
sections that follow, the characteristics of amateur 


computer criminals are considered as the overall security 


effort is formulated. 
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IfII. ETHICAL BUSINESS ENVIRONMENT 


AG INTRODUCTION 

Before top management can effectively introduce a 
computer security program or any specific control measures 
into the corporate workplace, it is first necessary that the 
executives ensure that a healthy ethical business climate 
predominates aii other racets of the work environment. This 
1s so because of the natural tendency to circumvent 
controls, especially those that may be viewed as obstacles 
to progress in other imvortant areas. Since toc management 
cannot be omnipresent to ensure that its prescribed security 
measures are ceing ampioved, 1T must reiy up)en the goodness 
and professionalism of subordinate personnel in this regard. 
Thus a strongly internalized sense of ethical conduct, 
ubiquitous at all levels of the organizations is of 
paramount importance if information systems are to be 
secure. 

In this section, the concept of ethical business 
behavior is explored in some detail. First, the requirement 
for sound business ethics in a computer organization is dis- 
cussed. Then, four rationalizations, whose widespread 
acceptance in organizations cause unethical behavior, are 


presented. Finally, the Significance of these 
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rationalizations, especially for top management of an 


organization that employs computer systems, is considered. 


B. REQUIREMENT FOR ETHICAL BUSINESS ENVIRONMENT 

The requirement for a strong, ethical environment in any 
business seems obvious. It appears especially obvious when 
one considers the security needs of a computer organization 
because ethical conduct serves as the foundation on which 
Eaewoverall security program must be built. It is not only 
at the core of individual control mechanisms, in essence 
making them viable safeguards, but it properly recognizes 
eae  cacc that ‘mest employees want t9 (and, under normal 
mibeeGem@ecances, Willi) act ethicaily. Hage, “an ethical 
pusiness environment is most ‘facilitative of relatively 
unencumbered productive effort and wouid have to be con- 
Sidered as the most cost-efficient security control 
mechanism. 

The fact that ethics is discussed here separately, and 
not later with the other control mechanisms, only attests to 
its overwhelming importance to a computer organization. By 
fostering a strong sense of ethical propriety, management 
can be quite effective in stymieing abusive inclinations. 
Also, by establishing and relying upon a code of ethics, 
management is allowed to take a precautionary posture that 
minimizes the opportunities or perceived need for abuse on 
the one hand while motivating honest activities on the other 


feemehee discussion on "Standards of Conduct" in Chapter V 
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for precautions). To function differently would be unwise 
because, as Leonard Krauss and Aileen MacGahan write, ". 
it makes little sense, and is quite counterproductive, for 


Management to harbor a distrustful attitude." [Ref. 12] 


C. FOUR RATIONALIZATIONS THAT CAUSE UNETHICAL BEHAVIOR 

In view of the above, one would think that ethical 
business conduct would be strongly internalized into the 
cultures of most business organizations. However, this 
apparently is not the case. As Dr. Saul Gellerman, Dean of 
the Universitv of Dallas Graduate School of Management, 
wrote in che Harvard Business Review, roughly two-thirds of 
America's 500 largest corporations have been invoived, in 
the last ten vears, in some form of criminal behavior [Ref. 
i Also, consider the recent disclosures of insider 
trading on Wall Street. Financial malfeasance at the very 
heart of corporate America appears to be no insignificant 
threat. 

Dr. Gellerman postulates that this dangerous situation 
is the result of the pervasiveness within organizations of 
four "rationalizations" that can cause managers to fall prey 
to ill-advised, criminal conduct: 

A belief that the activity is within reasonable ethical 
and legal limits--that is, that it is not "really" illegal 
or immoral. 

A belief that the activity is in the individual's or the 


corporation's best interests--that the individual would 
somehow be expected to undertake the activity. 
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A belief that the activity is "safe" because it will never 
be found out or publicized; the classic crime-and-punish- 
ment issue of discovery. 
A belief that because the activity helps the company the 
company will condone it and even protect the person who 
engages in it. [Ref. 13:p. 88] 
Since at least one of these rationalizations is, to some 
extent, virtually always used as justification by managers 
when they engage in illegitimate activities, they pose 
Significant threats to the high ethical standards and, 
nence, the internal security posture, of any organization 


ana especially to those that electronicaily stcre anda 


process sensitive intormation (recali that one or the cnar- 


@aGGerisecics Of che amateur computer criminal is nis/her 
Sener seencency toe rationalize the misconduct). So, in the 
Dabagrapns That coiiow, these rationalizations are descwibed 


and discussed more fully, and then their significance for 
EDP organizations will be explained. 

The first rationalization, that an action is not 
"really" immoral or illegal, is a very old issue. How far 
is too far? Exactly where is the line between smart and too 
smart; between sharp and shady; and between profit maximiza- 
tion and illegal conduct? The issue is complex and involves 
Significant interplay between top management's goals and 
middle managers' efforts to interpret those goals. [Ref. 
lope Sie] 

Top executives rarely overtly ask a subordinate to 


commit an act that both know is against the law or is 


ae 


imprudent. However, their actions sometimes speak loudly 
enough. They can leave things unsaid or give the impression 
that there are things they do not want to know about. They 
can seem, deliberately or otherwise, to distance themselves 
from their subordinates! tactical decisions, so they will 
not be involved if things go awry. They can promise rich 
rewards for achieving lofty goals and imply that the means 
to achievement of these goals will not e toc close 
SsCEutinwzed. (Ret. 132m, Sst 

The second reason that managers take unhealthy risks, 
believing that the unethical conduct is in the individual's 
or the corporation's best interests, nearly alwavs results 
from a parochial view of the interests involved. Ambitious 
managers searcn for ways <*0 make themselves and <tneix 
organizations look good. They attempt to distinguish then- 
selves by outperforming their peers. Many, in their selfish 
efforts to succeed, will sacrifice potentially outstanding 
long-term gain for potentially smaller, but more immediately 
recognized, short-term rewards. The sad truth is that many 
managers have been promoted because of "great" results 
obtained in these ways, leaving unfortunate successors to 
inherit the inevitable whirlwind. [{Ref. 13:p. 88] 

Believing that one can get away with abusive (even 
criminal) behavior, the third rationalization for taking 
risks, is perhaps the most difficult with which to deal, 


because it is so often true. A great amount of misconduct 
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escapes detection. (Ref. 10:p. 89] This rationalization is 
particularly relevant to a computer system's environment 
because of the fleeting nature of the evidence of abusive 
acts and the fact that, relatively speaking, ignorance of 
computer technology reigns supreme among the _ general 
populace which often can be easily duped (including honest 
managers and officials attempting to investigate the abuse). 

Also very relevant to a computer system's environment is 
the final rationalization that allows/encourages managers to 
commit criminal acts, the belief that the company will 
condone actions taken in its interests and will even protect 
the responsicle managers. The primary question here ls, 
"How does top management foster a healthy sense of company 
Bova eWloiOuL allowing it to gO berserk?" (Rer. L3:p. 307 
The issues behind this question are many and appear to apply 
especially to computer organizations. As Starfire wrote, 
many (perhaps most) computer crimes go unreported, even 
after they are discovered. Also, since only 20 percent of 
the relatively few people that are tried and convicted ever 
serve any prison time, it ". . . is one of the safest crimes 
anyone could commit." [Ref. 11] 

These four rationalizations were posited by Gellerman 
after an in-depth review of three incidents in which 
unethical behavior by top management proved calamitous (and, 
in two of the cases, nearly fatal) for three of America's 


financial and industrial giants. The three companies 
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involved were Manville Corporation, Continental Illinois 
Banks, and. E. fF.) Hudaizony Although the details of the three 
cases differ greatly, there are some similarities in them 
that are worthy of consideration. 

First, the executives whose unethical conduct cost their 
organizations so dearly, were not extraordinary people. As 
Gellerman said, the ". . . people involved were probably 
ordinary men and women for the most part, not very different 
from you and me." [Ref. 13:p. 86] They found themselves in 
a dilemma, and they solved it ina way that seemed the least 
troublesome and most advantageous for their respective com- 
panies (one might call them high-level amateur criminals!). 

The cases also illustrate the fine line that exists 
between acceotable and wunacceptable managerial behavior: 
Managers are expected to pursue their companies' best 
interests but not overstep the bounds that outsiders will 
tolerate [Ref. 13:p. 86]. When the "heat is on," managers 
may neglect standard controls and, if pushed by very lofty 
goals, may not see clearly their real interests. Instead, 
they may focus on the ends, overlook the ethical questions 
associated with their choice of means, and ultimately hurt 


themselves and their organizations. [Ref. 13:p. 87] 


D. SIGNIFICANCE OF RATIONALIZATIONS FOR EDP ORGANIZATIONS 
The significance of Gellerman's findings for the top 
management of an organization employing computerized infor- 


mation systems is enormous. Consider the likely outcome of 
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a situation in which widespread rationalization is allowed 
to persist in a business alongside other predispositions 
toward abuse. For instance, it has been discovered that the 
motives most frequently driving employees to criminally 
abuse their computers are: 

1. Avarice. 

2. Desire for the "good life" and material possessions. 

3. Financial voroblems (arising from pressures to snend 


beyond one's means, druq abuse, ilinesses, collede 
costs, gambling debts, and much more). 


PeetoOo Giaei@acaction (the challenge of 4%). 
Pee chatitacle (vcakeweamom the rich and give to the needy). 
6. Revenge (due to a4 verceived grievance against che 
2mpLover). We sede. Gel 
Mieewem@es= WOtwyes ara strongly feit and if GeLlberman's 


rationalization process has been widely assimilated into the 
norms of the organization, otherwise honest employees will 
very likely abuse the computer system and will have very 
Mccte Gittaculty Justifying their actions in their own 
minds. This explains the increased frequency with which 
Parker has observed the amateur computer criminal who has 
high ethical standards and, yet, begins to act dishonestly 
because others' unethical acts are seen as being rewarded, 
while ethical behavior is not only overlooked but, in fact, 
sometimes hampers progress in a_- sterile, technical 
environment. 

Another significant aspect of the rationalizations for 


top management is that the rationalizations suggest that the 
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mores of the company must be set by top management. Lioiaket 
means that top managers must first ensure that their own 
behavior is beyond reproach and then mandate a company-wide 
ethics policy that is intertwined with corporate culture 
[Ref. 14]. It is not enough for them to simply dictate the 
policies; they must also practice them in their daily work 
routines. As has been written: 


Every young manager will experience the ee on 


others' pdehavicr as determinant of nis own. [Most 
maintain that their superior's behavior is the major 
reason thev behave unethicaily. It Ls° thewtop. that seme 
the ethical tone in most organizations and this is one of 
the gravest obligations of nigh-level executives. Their 
behavior wiil ke emulated and converted oo institution- 
alizea custom 5v Lower managers. PROT lO oe el So) 

In a computer crgqanization Enere te aiso MUGI ses =224e 


unethawcal behavior by managers will se @mulatea and aase.. 
tionalized py mnonmanagerial personnel. This is another 
Significant aspect of the four rationalizations that must be 
considered by top management. While the discussion so far 
has dealt entirely with managerial ethical issues, it is 
important to note that practically everything mentioned 
applies equally well at all levels of many organizations and 
especially to those that electronically manipulate data. 

In fact, the great extent to which illegal conduct has 
been found to occur at all levels of a computer organization 
prompted Robert Courtney, an experienced computer security 
consultant, to dub the phenomenon as the "democratization of 
white-collar crime." He says that white-collar crime used 


to be the domain of managers and other traditional 
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Seeupations of high trust. However, the use of computers 
has resulted in new and larger numbers of occupations in 
positions of trust and changed patterns of trust in old 
occupations. [Reft-~ Zip. 103] It is vitally important that 
top management recognize this fact and take steps to ensure 
that the expanded nonmanagerial segment of the computer 
organization acts ethically, as well as the organization's 


managerial personnel. 


BE. seormmMary 

Thus, too management must institute ethical business 
Mmedeeteces at ali levels of the organization. It necessariiy 
M@eemoecon ehe srcocess by acting ethically itself ‘lead the 
effort xsrom tne front) and, then, 1% must ensure that subor- 
dinate personnei understand the need for acting ethically 
and that unethical behavior will not be tolerated. Top 
management can greatly facilitate this effort by realizing 
the dangers inherent to the existence of Gellerman's four 
rationalizations and by proscribing their employment from 
the organization. Once the appropriate ethical business 
environment has been established, top management can then 
mem wets attention to setting up the overall security 


program. 
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IV. OVERALL SECURITY PROGRAM 


As INTRODUCTION 

After top management has ensured the existence of an 
appropriate ethical business environment, it must then use 
that environment as a foundation on which to establish an 
overall security program. This is important because an 
ethical business environment, alone, will not succeed and 
because no amount of individual controls, discussed in the 
next section, will be surficient without an overall computer 
security program within which the safeguards can function. 


(Rer. 15] This chapter discusses some or the important 
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aspects or the overall security srogranm. I= describes some 
of the important issues that must be considered by top 
management in setting up an overall security program and 
demonstrates the importance of top management's active 
involvement in formulating and supporting the security 
effort. It then discusses the elements that should be 
included in any overall security program if it is to viably 


serve as a framework within which specific control 


mechanisms can function. 


B. IMPORTANCE OF TOP MANAGERIAL INVOLVEMENT 
Just as top management's active involvement in and 
Support of the appropriate ethical environment is of 


paramount importance, the same can be said of the 
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functioning of the overall security program. Indeed, the 
two issues are so closely related and the management of 
their processes so closely interconnected that it is diffi- 
cult to separate them, even as topics of discussion. Surely 
both are worthy of top managerial consideration. 

In the case of organizations that employ computerized 
information systems, top management's involvement in pre- 


scribing and overseeing the security program is especially 


important. This is not only true because computerized 
tmfermation is very vuinerable (e.g., it may ‘Se easrbhy 
aceessed, stolen, aitered, or destroved without anvone 
meewine fOr l!onGg® cerweds or time), sout aliso because the 


controis, tnemselves, are frequentiy unwieldy, burdensome 


j 


Seemrieeecs Liat “Acco antwtheticaliy "fo the very surposes oi 
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mvemeomputcer's original "being." Controls stifle creativity 
and innovation; workers feel encumbered by them (a feeling, 
often with much merit!); and they will be circumvented 
unless they are carefully planned and implemented and are 
seen as being fully supported by top-level management. 

Also, since every business is different and has 
different perceived needs, the specific makeup of the 
overall security program may naturally be somewhat debatable 
emeeewall require active high-level participation to be 
accepted as appropriate for the particular situation. ate 
would be most advantageous if some organization, such as the 


National Bureau of Standards (NBS), could simply specify a 
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functional security program for any and all companies. Such 
a specification, however, is not possible because of the 
many variables involved. 

Consider, for example, that: 


Each individual computer [organization] is a unique 
case. The threats it faces are a function of its loca- 
tion, its workforce, its parent organization, its work- 
load, its equipment and software, and its physical 
facilities. Furthermore, the threats faced by an 
installation change over time due to changes in emplovee 
morale, the workload, the competitive situation, the 
financial health or fhe parent creanization, and sven 
changes in the environment and wohvsical situation. Hen 
instance, §Ehe [ire Mazard may Chance (eras 2 ec) oe 
new tenant moves into the floor overhead: competitors’ 
interest in srecuct design inzOrmaticn “or sates ie. -- 
may suddenly flourish when the varent compranv success- 
culiv ltauncnes a mew product. Any svente wnicn Changes Eae 
computer environment or the att@eudes of people worn ncamrm 
that Environment can cause 4 caahee Merse Sabeae cose wae 
and should vorompt reanalvsis to determine if additional 


- ae 


sountarmeasures are warranted. (mer. 16] 
Deriving an erfrective security program for such a diverse 
and dynamic environment is difficult. It is often nearly 
impossible without the active involvement of top executives. 
This simple realization by top management is a most 
important ingredient to any effective security program. 

It is also important that top management realize that 
its involvement can be dysfunctional, however, in some 
cases. As top managers consider the requirements for a 
computer security program, they will gather environmental 
information in either a preceptive or receptive manner. 
Those that "preceive" will judge the situation based on 
their preconceived notions about computers and computer 


Security. Receptive individuals, on the other hand, are not 
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unduly swayed by preconceptions and reach their conclusions 
in a more objective manner. [Ref. 17] 

High-level managerial poeecmitenen of this fact is an 
extremely important issue to the management of computer 
systems' security. The personal preferences of top 
management will often dictate the final nature of the 
overall security program. Depending upon how top management 
views the importance of the information system within the 
organization (as either a strategic or merely a supportive 
activitv), 1t wiil take a more or less active role in manag- 
ing and supporting the system. [Ref. 181 Today, because 
many nigh-level managers have reached their vositions with 
little exposure to computer systems in their early careers, 
Gi cemearssecsuse thelr sxposure was to radically ditterent 
types of computer issues, they suffer an extremely acute 
discomfort in addressing information systems' matters [Ref. 
MSep. 36). 

Such "discomfortable" individuals are likely to approach 
a computer security program in a preceptive manner and, 
figuratively, transfer their suffering to the security 
effort. Under these circumstances, there is no way that a 
viable security program can exist. This situation possibly 
UNGerlies a study finding of the Institute of Internal 
Auditors that general (top) management support for audit and 


control programs needs to be improved if the integrity of 
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the computer-based information systems is to be ensured. 
Uslese bes je- IL IL] 

Ensuring the integrity of the information system comes 
at great cost, and this represents another reason why top 
management must be involved in the implementation of the 
overall security program. Not only are security controls 
often expensive to purchase and install, but they can be 
even more costly in terms of their negative impact on 
organizational productivity. Security generally means 
controls and controls generally mean that laissez-faire will 
be replaced with encumbrances on the production floor. Such 
a situation can quickly become destructive as the best 
interests of production personnel are placed directly at 
odds wlth the security needs of the organization.  CGenimue. 
ranging from a disregard of the controls (if allowed to 
occur) to outright abuse of the system (if the controls are 
strenuously enforced and are viewed as too debilitating) are 
likely to arise, depending upon how the situation is 
managed. 

Top-level management is clearly needed under such 
circumstances. Its task in this environment is to ensure 
the appropriate structure and management processes are in 
place to referee the balance between the information system 
user and safeguards imposed by the computer security pro- 
gram. A solid ethical business environment can greatly 


facilitate the balancing act (by allowing looser controls 
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and, hence, more unfettered work processes), but dozens of 
security controls will still be necessary. Deciding the 
extent to which these controls can be allowed to interfere 
with an organization's raison d'etre falls clearly within 
the province of top management. 

In making this decision, it is important for top 
management to realize that the inherent risks of an 
information svstem mean that it cannot be made 100 vercent 
Bronm-free and still remain functional. Management must 
decide not only the character of the overall securityv 
program and the tvves of controls emploved, but it must also 
Gecide the level of risk that is accevtable and the amount 
Soeemme, “energy, money, creativitv, and/or innovation that 
Saesce SSpended wm attaimimg that level. Xx tradeoff must De 
made between the direct and indirect costs of the security 
program and the probable loss that could be incurred if the 
Security effort were not made. [Ref. 19] 

In light of the above, it is incumbent upon top manage- 
ment to effect an overall security program that is appropri- 
ate for its individual organization at that particular time. 
It must provide leadership, resources, and support for the 
Beremt. it must actively participate in the formulation of 
the overall security program because it is that program that 
will serve as the framework in which specific safeguards 
will be implemented. A small investment of high-level time 


and energy during the inception of the security program will 
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later pay significant dividends in terms of enhanced 
effectiveness of the security effort, minimized damage to 
the efficiency (productivity)of the organization's mainstay 
operations, less duplication and fewer requirements for 
change, and better acceptance and support at all hierarchi- 


cal levels. 


C. NECESSARY ELEMENTS OF THE OVERALL Shee Ce 


The remaining important issue, with which tons management 


‘T) 


must deal, is the makeup orf the overall secure  orco- an 


AS nas previously Seen stated, 1£ 1s impossible t5 svnecify 


universaifiy smelicyea Sin’ Bny Ceeanezacien- aicwever, there 
are certain elements Of 2 Security sreogiam Enac shoulda] 
consiaered ana stated py top managers or any organization as 
they implement a security strategy. These include the 
objectives of the program, issues that should be written 
into the program's charter, comprehensive and wide-ranging 
security guidance, and other key ingredients that will be 
discussed below. 
1. Objectives 

R.C. Summers, in "An Overview of Computer Security," 
Says that a computer security program should ". . . include 
concepts, techniques, and measures that are used to protect 
computing systems and the information they maintain against 
deliberate or accidental threats." (Ref. 20] He states 


that the objectives of a good security program should be to: 
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a. Protect The System 
The security program must ensure the protection 
of information against unauthorized modification, destruc- 
tion, or disclosure. This is especially important when one 
considers that the computer has become many organization's 
Main repository of records representing all types of infor- 
mation ranging from personnel files to cash and inventory 
records to trade secrets. 
b. Maintain Integrity/Availabilitv 
The security program must ensure the maintenance 
of the integrizy and availability of the computing system 
and 1ts appiications. This area includes the use of comput- 
ers in such applications as manufacturing process control 
an@ aixtline xveservation svstems in which the data must be 
protected and readily available for use. 
c. Secure Computer Records 
The program must ensure that computer records 
are secured in compliance with the legally mandated require- 
ments of the countries and states in which the system is 
operated. Examples of such legal mandates include provi- 
sions of the Foreign Corrupt Practices Act and the 1974 
Prmmyeey Act. (Ref. 20:p. 309] 
2. Security Charter 
In order for these objectives to be met, the comput- 
er security program must be based on top management policy 


and support that clearly define a security charter and its 
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scope [Ref. 15]. While these are also situation-dependent 
and cannot be described specifically, there are certain 
items that should be included in the security charter of 
most organizations. For example, the specific goals and 
objectives of the security program should be included, along 
with the degree to which top management intends to support 
the program and the authority that is possessed by security 
personnel. These things should be clearly specified in 
writing because of the likelihood of conflict between 
security implementors and system users. The written docu- 
ment can serve aS a contract between top management and 
securlty personnel and eliminate much misunderstanding, 
frustration, and organizational infighting. Also, the mere 
act of formalizine ana FeducinGe GO wreelng iene scope ore 
security program, the bounds of the authority of security 
personnel, and the degree of managerial support forces high- 
level managers to address these important issues head-on and 
in an open-eyed fashion. 
3. Security Guidance 

Another issue that should be addressed ina similar 
fashion is top management's security guidance to the organi- 
zation. This guidance should be fairly specific in intent 
but should be comprehensive and wide-ranging so as to cover 
all areas that are deemed important by top management. For 
example, the Department of the Army's guidance begins with a 


general statement: 
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Sensitive defense information processed by Army auto- 
mated operations and associated telecommunication systems 
must be safeguarded against unauthorized access, modifica- 
tion, use, destruction, or denial of use. [Ref. 21] 

The Army then proceeds to list 14 specific guidelines, along 
with their associated subparagraphs. Many organizations 
will not require the type of in-depth guidance from the top 
that has been provided by the Department of the Army (DA), 


but much of the Armv's guidance is relevant to any crganiza- 


Gion That has 2a need t5 secure its computer assets. 


oe 


Peeewesase BM [.Olne Ise DA's | soli@e Ehat Sescivcicn 


by 


ao. «CO Eac Compitex prosilems inherent in autcmaticn 


Soe Focus eS ean approach wonich cuts across cuncticonal 


mmeen-  - - Fane] the greatest deares or ccordinmaticn and 
cocperation vscetween ail leveis OF management." BREE 2a 


the "cop sorass"” or the Army has seen the need to concern 
itself with such mundane matters, and its counterparts in 
any organization employing computer systems should do 1like- 
wise. Other DA-directed guidance that top management of 
civilian businesses should include in their security pro- 
grams includes the features listed in Table 3. These items 
are briefly described in the following paragraphs. 
a. Risk Management Programs 

Top management should mandate the establishment 
of a formal risk management program for each system handling 
sensitive information. Security measures should be applied 
in response to identified risks. [Ref. 21] Ron Weber says 


that a formal risk management program should consist of the 
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TABLE 3 


ITEMS TO BE INCLUDED IN THE OVERALL SECURIMPY PROGRAM 


- Risk Management Programs 

- Control and Compliance Audits 

- Protection of Remote Devices 

- Priority Employment of Countermeasures 

- Design Security Measures into New Systems 
- Balance Security with Security Needs 

- Background Investigation 


- pertormance Aporaisais 


rollLowing»three major activities: <= sBeke2Centliicacicn, gas. 
MEaSUrTSMENE, Anew ei sk ones ol. PReEE. 7:3. 75) Zach sie 


prierly daiscussed below. 

(1) Risk Identification. The first step in 
risk management is to make an inventory of potential 
disasters that face the organization. This inventory should 
include consideration of natural disasters (e.g., hurri- 
canes); man-made disasters (ence, accidents, riots, 
sabotage); external threats and financial disasters (e.g., 


legal/social responsibilities, management changes, competi- 


tion changes); instability and unreliability of man and 
high-tech machinery; and, hostile action (e.g., espionage, 
fraud, theft, mischief). Each list of potential disasters 


must be complete so that contingency plans will not be 


inadvertently omitted. 
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(2) Risk Measurement. Assessing the loss that 
may occur from different disasters is difficult, but it must 
be accomplished as a basis for establishing the amount of 
money that should be spent on security. One way of 
measuring risk is to estimate the possible losses that can 
occur from a disaster, and the probability of the disaster, 
itself, occurring. These estimates form the basis of calcu- 
lating the expected loss from possible disasters facing the 
organization. The expected loss in turn forms the basis for 
feeraing how much to spend on risk control. 

(Sy Ri sigeecontrol sz Risks can be controlled 
through system design, installation of security measures, 
and regular security audits. However, some residual risk 
Will Wealiways EXIST. THiS cyoe B@BSk may be Randlecd Sy the 
individual organization's treating any losses as normal 
operating expenses; by sharing the risk with other firms 
through trade associations (e.g., members agree to provide 
each other with backup facilities); or, the risk may be 
transferred contractually through insurance (discussed 
later). [Ref. 7:pp. 76-77] 

b. Control and Compliance Audits 

Requiring strict control and compliance audits 
of operations and software development and maintenance 
activities should be a top management priority. (Ref. 21] 
Weber suggests that, in control audits, both management and 


application controls be reviewed. He says that management 
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controls should be checked first because pervasive weaknes- 
ses in these controls may cause the auditor to deem further 
review to be unnecessary. When auditing controls, the 
auditor should assume that necessary controls are in place 
and functioning as alleged by the organization. He/she then 
identifies causes of possible loss and evaluates the effec- 
tiveness of the controls at prohibiting the expected loss or 
at reducing the losses to acceptable levels. 

The purpose of compliance auditing is to 
determine whether or not the svstem of internal controls 
operates as it is purported to operate. The auditor seeks 
to determine wnether cr not alleged controls in fact exist 
and if they work reliably. In compliance auditing, 
computer-assisted testing is esveciaily valuable. ‘Retr. 
TSpp. 30s 

c. Protection of Remote Devices 

Top management must recognize the peculiar 
vulnerabilities inherent in remote terminal devices and 
ensure that EDP management adequately protects these 
systems. (Ref. 21] Remote devices may be teletypewriters, 
keyboard/displays, minicomputers, microcomputers with 
modems, remote job entry stations, and automated teller 
machines. Because they are machines through which data are 
entered and output received, and can be used to perpetrate 


computer fraud, their security deserves special attention. 
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Generally, security measures for these devices 
eroule ber the same as®formthe central computing facility. 
Access to the terminals should be restricted when possible. 
ies eeercicwarly Mmpertant “to restrict’ aGcess"to terminals 
that are used to access or update sensitive data files, data 
bases, and programs. It may be desirable to isolate such 
terminals in locked rooms to which only authorized users 
have Keys. Meet. 12:pp— 0 =27 1] 

dad. Priority Employment of Countermeasures 

A xey top management responsibility is to ensure 
tTnat costiy or elanorate security countermeasures are 
applied oniy arter administrative, personnel, onysical, and 
communication security controls nave been snown to be 
inadequate. “Ret. 224 fminerent in tas element are Th 
system efficiency and effectiveness issues discussed by 
Weber. The countermeasures are considered to be effective 
if they accomplish their objective of ensuring a reasonable 
level of protection for the information system. They are 
considered efficient if they consume the minimum resources 
in achieving the expected level of effectiveness. (Ref. 
Tape? | 

As was suggested in the introduction to this 
thesis, many experts believe that most computer security 
needs can be met by common-sense measures, such as the 
administrative and personnel procedures currently employed 


in most organizations. It would be unwise to expend 
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resources on more elaborate measures until the benefits of 
the already-in-place controls have been maximized. 
e. Design Security Measures into New Systems 

Top management should mandate that protective 
measures be made a part of the original design of all new 
automated systems because of increased effectiveness and 
decreased cost. [Ref. 22] This guideline pertains particu- 
larly to the high-technology controls that are implemented 
at the lower leveis ot Weber's security cnion. Swvecifical- 
ly, 1t refers to security-related algorieams and audtera 
processes that are incorporated directly into a software 
system. It 1s important that these tvpe controls be olannea 
and incorporated at the earliest vossible stages of develon- 
ment ocecause of the eaxponential rate or “increase #7 eee 
costs of changing the software to add the features at a 
later stage. For example, as taught in Naval Postgraduate 
School software engineering classes, it is 100 times more 
expensive to change a large software system after the system 
is in operation than it is to simply incorporate the change 
during the initial requirements specification stage. While 
all security needs cannot be known in advance and, there- 
fore, some countermeasures must be incorporated in later 
stages of development or after the applications program is 
in operation, it iS very important that top management 


ensure that security is a prime design consideration and 
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that its needs, to the greatest extent possible, are 
included in the design specifications. 
f. Balance Security With Security Needs 

Top managers must require that measures taken to 
attain security objectives be commensurate with the impor- 
tance of the operation to mission attainment, the sensitivi- 
ty and criticality of the material being processed and the 
relative risks of the system. This guideline also deals 
with system erficiency and effectiveness issues and was 
previously discussed in Section ivV.B. 

g. s3acxground investigations 

The personnel department must be required to 
conduct packground investigations on all persons filling 
positions designated as sensitive [fRer. 21]. AtTtsr =n 
applicant has successfully completed all the initial hiring 
steps (e.g., employment application, job interview), the 
information must be reviewed and verified for accuracy. The 
purpose of the review and verification is twofold: to 
determine the suitability of the individual for the job; and 
to determine if there are any problems in the applicant's 
background that may indicate potential risks. 

The verification, or background investigation, 
may be conducted by the company's own personnel or by an 
outside agency. Regardless of who performs it, the cost of 
verifying the information is dependent on the extent of the 


investigation (which is driven by security needs) and on the 
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time in which it must be completed. The goal of the back- 
ground investigation is to prepare an impartial profile of 
the applicant from which an objective evaluation regarding 
the applicant's suitability can be made. The methods 
employed in conducting the investigation include personal, 
face-to-face contact, telephone interviews, and letters 
requesting desired information. The most effective way is 
face-to-face discussion; the least effective way is by 
written correspondence. {[{Ref. 12:p. 61] 

In light of the recent spate of espionage inci- 
dents involving high-level government officials (e.g., a 


retired Naval intelligence officer, and agents of the FBI 


and CIA), all of whom presumably withstood extensive back- 
ground investigations, it seems obvious that background 
checks cannot be considered the sole panacea. They should 


not be viewed as such, especially since good people can 
always go bad. Rather, background investigations should be 
viewed as an effective tool to "weed out" undesirable 
employee candidates and make the hiring procedures as 
effective as possible. This is not a terrible end, in and 
of itself, since, as Dick Brandon has been quoted as saying, 
better than 80 percent of the incidents of employee theft, 
fraud, misuse of information, or sabotage could have been 
prevented by more effective hiring procedures (based upon an 
examination of the records of the victimized organizations). 


[Ren 2122 peo oF 
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h. Performance Appraisals 

A final guideline that top management should 
specify is the requirement that EDP management must include 
in individual job descriptions the fact that maintenance or 
enhancement of EDP security has high priority and will be 
heavily weighed in performance appraisals. Stoner and 
Wankel define performance appraisal as ". . . the continuous 
process of feeding back to subordinates information about 
how well they are doing their work for the organization." 
[feewe. L7:D. 342] They also make a distinction between 
intormal appraisais (i.2., those conducted svontaneously and 


on a day-to-cGay oasis) and svstematic appraisals that are 


more rormal, occur semlannuailv or annuallv, and are 
Seimeecty freiatec se merit waises and wmrcmotions: TREE. 
ys p. 342) 


In order for performance appraisals to be 
effective at enhancing computer security, it is important 
that both types of appraisals be employed and that they 
include matters related to security. Spontaneous, day-to- 
day recognition of security-conscious performance of duty, 
coupled with appropriate pay raises based, in part, on 
security-enhancing work practices, will demonstrate clearly 
to all employees that the organization is paying more than 
"lip-service" to security. The old adage, "The squeaky 


wheel gets the grease," applies very well. 


os, 


a” Other Key Elements 


In addition to the objectives, security charter and 
guidance set forth by top management, the National Bureau of 
Standards says there are five other elements that should be 
included in an overall security program if individual con- 
trols are to be effectively implemented and used (see Table 


4) "P=" REL Za: 


TABLE 4 
NATIONAL. BUREAU OF STANDARDS Soko oe ca. 
EPLAMOeNTS rOR a SECURITY PRCGw 
- (BOMpPUCSr .S2Ccur bee oe Ue ee ee mean 
- ‘SVScCeM S6s20n staveaees 
- Mnsurance 
- CONneracrindg Managemen. 


~ Control Implementation Strategy 


A brief discussion of these elements follows. 
a. Computer Security Wolicy and Centro! 

General management must ensure that the organi- 
zation has a computer security policy coordination function. 
This function may be the responsibility of one or more per- 
sons who act as a focus for computer security policy and 
coordination. The function should be separate from, but 
closely coordinated with, EDP activities. Its primary 
responsibility is to develop workable computer security 


standards and EO coordinate the acquisition or 


ae 


implementation of security controls. Hi adadweeron, “enis 
function works closely with auditing to verify compliance 
with standards and adequacy of the controls in place. ([Ref. 
15] 

fae pobtey=and Control function is important not 
only because computer security standards must be set commen- 
surate with the needs of the organization (i.e., they must 
adequately control without becoming dysfunctional), but they 
must aiso pe maintained in a state that is ready and 
prepared to meet the current threat. Managing this process 
1s a real cnalienge because of the "natural enemies" of anv 
program to yvrevent computer abuse. Krauss and MacGahan have 
identified three such natural enemies as being: 

(i) =nertia. This is a two-neaded monster {hat 
represents the organizational forces that make compliance 
With newly implemented security measures difficult to 
achieve and also those that create tendencies to affect 
business or system changes without considering computer 
security needs. [Ref. 12:p. 424] 

(2) Changing Business Requirements. Business 
requirements can change as a result of competitive 
pressures, because new products and services are offered to 
the public, or because new technologies provide more desir- 
able computer processing alternatives. These changing 
business requirements will be translated into changes in the 


company's computer applications. Unless there is a function 
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to supervise the changes and to ensure that computer 
security considerations are integrated into the new systen, 
the company will be in trouble. [Ref. 12:p. 425] 

(3) Changes to Organizational Structure. Any 
organization's structure can be expected to change over 
time, e.g., two departments may be combined under the 
direction of one manager. Such changes can be extremely 
hazardous unless security iS a prime consideration at the 
time the change is made. For example, combining two 
departments may reduce the erfect of duai controls over 
assets and tne amount or separation of duties present in 
specific job applications. [ Revie Zee 254 

The computer security policy and control 
cunction snould pe designed tc be especially on quard 
against these "natural enemies." Security policies and 
controls should be carefully selected so that it is easier 
for individuals to comply with them than it is to circumvent 
the security effort. Also, the policies and controls must 
be flexible and carefully managed to ensure that they remain 
appropriate for the dynamic environment in which they must 
function. Close coordination is a "must" under such circum- 
stances, and therein lies the need of the security policy 
and control element. 

b. System Design Standards 
As suggested by the DA-directed guidelines, top 


management must ensure that internal controls and other 
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security mechanisms are included among the system design 

considerations. Standards or guidelines should be 

established to ensure that they are included. [Ref 1S'ap. 

10] This, in essence, means that standards should exist 

requiring that, 
eee ce 86s ( EDP] auditor participates in the system 
mevelopment process ... to ensure, FLOM Tas SSpecist Cc 
application system, that controls are built into the 
syscem tc safequard assets, ensure data intesritv, and 
achieve system erfectiveness and efficiency. PRET . (Jeter 
99 7 

Premecitaelenes in ghe roiicwing Kable fTapie 3) shrouid xe 


Sereovyem 251 2el@ 22652CNn Of anv Comeucer svstem. 


Sooo 8 BES Ga sULTCELINES 
- Require user department and internal audit department 
approval of system development projects 
~ Require user department and internal audit department 
involvement in the system's specification and design 


phase of the project 


- Require user department and internal audit department 
approval oda detailed user specifications 


- Require the preparation of detailed technical specifica- 
tions and of a detailed plan for the development of the 
system. 


source: (vet IZ2.p. 125") 


A brief description of these guidelines follows. 


(1) Require User Department and Internal Audit 
Department Approval of System Development Projects. Before 
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a system development project is undertaken, the project 
should be reviewed, authorized, and approved in writing by 
the appropriate user department and internal audit depart- 
ment. These departments will have to be intimately involved 
in the system development process. They must, therefore, be 
aware of and approve all system development projects at 
their inception. [Ref. 12:p. 124] 

(2) Require User Devartment and ‘tnternal Audit 
Department Involvement in the System specification and 


Design Phase of the Project. The two departments snould be 


J 


invoived in tn1ils oOnase or Ene Sesjece Go ensure “chat Hae 


rs 
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nea system complies Ww ee acceotanle accounting 
policies, accounting “and appitearvens CGontroais, andes 
other vrecordkeenving o2rocedures Fequisea cov Zeculéaucay 
agencies, such as the IRS. They should also ensure that the 


system is designed with management's objectives and user's 


needs in mind. [(Ref. 12:p. 127] 


(3) Require User Department and Internal Audit 


Department Approval of Detailed User Specification. System 


aes must, in the course of designing the new systen, 
prepare a detailed user specification manual fully describ- 
ing the new system. This manual must be carefully reviewed 
by the user and internal audit departments to ensure that 
the specifications are accurate and complete and meet their 
needs. After these departments are satisfied, they must 


indicate their approval in writing. Then, and only then, 
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can the system development process proceed. [Rebel 2 2p. 
127 7 

(4) Require the Preparation of Detailed Techni- 
cal Specifications and of a Detailed Plan for the Develop- 
ment of the System. These documents will guide the 
programming, file conversion, user training, and testing of 


the system being developed. They will also be used to 


guide, control, and check the programmers! work. (Ref. 
Tey i 2 8 | 
Cx insurance 


Top management must ensure tnat tne insurance 
peegram 1s malntained in an up-to-date manner. [ROE tS: Pp. 
10] It can accomplish this by considering the types of 
insurance necessary for covering =DP equipment and facili- 
ties, EDP media, business interruptions, valuable papers and 
records, accounts receivable, and malpractice, errors, and 
omissions. fFRefge 16mppe S6—87 } It must then employ the 
eight steps in Table 6 (next page) to determine the amounts 
of insurance to purchase for each of these types (if any-- 
many large corporations and most governments are self- 
insuring). On a periodic basis or when major changes or 
purchases of equipment are made, the steps in Table 6 must 


be repeated to ensure that the organization is not under or 


over covered. 
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TABLE 6 
STEPS REQUIRED TO DETERMINE AMOUNTS 
OF INSURANCE COVERAGES 
Make a formal threat analysis. 
Eliminate from further consideration those threats ade- 
quately countered by the environment, the facility, and 


the security procedures. 


Prepare a worst-case disaster scenario covering the 
remaining risks. 


For each scenario, prepare a contingency plan which 
would keep the facility in operation. 


For each step in the contingency plan, make sure elapsed 
time and doliar expense nave been estimated. 


Summarize the costs for all contingency olans 4nd, poce 
the totals, as appropriate, to the types of insurance 
mentioned above .e.g., to equipment and facilities. 


media, business interruptions, etc.). 


Review the coverace and the exclusicns yrior €9 coing 
into final negotiations with the insurance agent. 

If the quoted premium seems excessive, arrange for an 
on-site field inspection with technical representatives 
of the insurance company to determine what can be done 
to change the system, procedures, or facilities to 
reduce the risk and bring the premium in line. 


Source: [Reft. 16:p. 287 | 


dad. Contracting Management 


Top management must ensure that contracting per- 


sonnel are well-trained in computer technology and terminol- 


ogy. 


They must have a thorough understanding of security 


safeguards, the need to have them designed into new systems, 


and other particular security-related problems associated 
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with software development and purchases of hardware, 
supplies and services. 
e. Control Implementation Strategy 

An important issue for top management’ to 
consider in developing a security program is the manner in 
which the controls should be implemented. To ensure that 
controls are not installed haphazardly, that they are not 
overly restrictive, and that they are the most cost-effec~ 
mye tor the risk at nand, a strategy for implementation or 
controis should pe amploved. iRet. >: ee. 9—-li|] smebert a: 
Couruney, in a aocument prepared ror the Frederal {information 
Preeeesoeme Stancarcs Task Group 15, detailec the stens that 
snould Se incluced in sucn a strategy. These stenvs include: 


— 
— 


A 3 ~ Le j i 
Sater fp securmcy risk analysis. 


2. Consider all security measures (controls) available. 

3. Select the control that minimizes the risk at minimum 
cost. 

4. Implement the control measure that is deemed most 
feasible. 

5. Evaluate its effectiveness and actual cost. 


6. Restart the process. [Ref. 22] 

It is important to mention that, generally, top 
management will not be the actual implementor of this 
strategy. Its task is to ensure that a strategy is derived 
and employed. Security personnel, working with EDP manage- 
ment, will follow the strategy in implementing most of the 


Gompucer security controls within the framework of the 
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overall security program. A further discussion of this 


process follows in the next section. 


D. SUMMARY 

It is extremely important that top management gets 
directly involved in the formulation of the overall security 
programs. This is true for several reasons. Pivst: spe 
overall vrogram serves as the framework in which the whole 
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Stances, there are certain elements that must be made part 
of all security programs. These include clearly stated 
objectives and guidance, a carefully written security 
charter, and several other key elements normally found in 


good overall security programs. 
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V. TOP MANAGEMENT CONTROLS 


A. INTRODUCTION 

After top management has ensured that an overall 
security program has been implemented as a framework within 
which specific security controls may function, it then must 
take steps to ensure that appropriate control mechanisms are 
seiected and empioyeda. It does this by selecting and imple- 
menting 1ts own measures and by ensuring that lower level 
managers roilow suit. The controls implemented within the 
organization wiil, thererore, range from che relatively 
proad~-oased and nonm-tecnnicai measures of top management to 
eme Very specitsc anc ctecnnical controls initiated by the 
managers of the lower-level control layers described by Ron 
Weber's model. 

This section covers the security controls needed to 
protect an organization's computer assets. It describes how 
the Department of Justice and the National Bureau of 
Standards approached the task of identifying security 
controls that are needed at each organizational level. 
Then, it describes the specific controls that should be 
initiated at the top management level. First, however, the 
discussion briefly focuses on how security controls at 


various organizational levels function interdependently to 
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provide an adequate security "blanket" against computer 


abuse. 


B. INTERDEPENDENCE OF SECURITY Vectors 

As mentioned, top management's controls are general, 
broad-based, and non-technical. Their purpose is mostly to 
tackle major problems that affect the whole organization and 
to provide direction and guidance to managers at subordinate 
leveis. in this latter sense, too management controls are 
nothing more than a very closely related extension of the 
overail security program: they extend the framework within 
whicn ghe suberdinate evel controls must operate. 

The parc that oo Mamagemene’s COnecrcols Olay “eee ae 
ing the security framework 2S Cyveta! “25 the pe remmsaee 
runctlioning or the security erfort. They assist subordinate 
managers in determining the appropriate security emphasis 
and controls needed at their levels and ensure that all the 
controls are coordinated and integrated in a manner that 
will eliminate "holes" from the layers of Weber's security 
"onion" (otherwise his "onion" would be more analogous to a 
layered ball of swiss cheese!). By ensuring that each suc- 
cessive layer of controls is properly interleaved, top 
management can, in effect, form a relatively impervious, 
protective seal around the organization's sensitive infor- 
mation systems. Also, by carefully selecting their control 
mechanisms, top managers can allow subordinates the greatest 


possible latitude in selecting and installing their more 
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specific controls and, thus, lessen the perceived impact of 
all controls on subordinate operations. The key to success 
seems to be in identifying the appropriate top managerial 
controls and in implementing them in the least restrictive 
manner possible consistent with the security needs of the 


organization. 


oo PROCESS OF IDENTIFYING THE APPROPRIATE CONTROLS 
meere Pas seen “mes S~ssearcnh into which contrcls are 


Meee eflect:vyoa at securing a computer svstem while leavi 


Q 


b 
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Bere Ooerac:cnaliy, che most unfettered. ite > ae tne 
researcn nas seen conducted bv two agencies of the federal 
B@igetseMenrt, £ne J-S. Decarzment or Justice (DOG) and Ene 
Peoeee vac lOnai suresau or standards (NBS). As seen selow, 
although the agencies took quite different approaches to 
identify the needed controls, their findings were remarkably 
Similar. 

The approach taken by DOJ was to exhaustively search 
through dozens of organizations that employ computer systems 
to identify the security control measures, based on common 
usage and prudent management, that are so widely employed 
that they could be considered absolutely essential to the 
security of any computer system under normal circumstances. 
The Department's idea is that, if such a set of controls 
could be developed, it could serve as a baseline of control 


measures which could assist all computer organizations in 
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effecting and maintaining at least a minimally acceptable 
information system's security posture. [Ref. 23] 

The DOJ does not purport its baseline concept as an 
alternative to quantitative and qualitative risk assessment 
methods, but it does believe that there are many benefits of 
a baseline of controls. For example, accepting industry 
standard and time-tested controls would save organizations 
much time, monev, and effort that thev would otherwise 
expend on researching already resolved vroblems. Also, 
management couid be vrelatively content Knowing that the 


firm's computer assets were safecuarded at least up #0 fie 


4 


opaseiine levei bv gqeneraillv used controis. (Ref. 22:3na ee 


f 


33] 
fowever, as COJ attempted +o identizv baseline security 
measures, it found that no such commonly employed set of 
controls exists. Instead, the Department found dozens of 
controls, each usually recommended by one or two users but: 
- « « not necessarily supported by widespread use. The 
Systems Auditability and Control Reports from the Insti- 
tute of Internal Auditors identifies 300 controls and a 
set of control objectives based on a survey of 1,500 
computer-using enterprises. However, one conclusion of 
these 1977 reports was a significant lack of common usage. 
Only a few organizations were found to be using any 
particular control. (Ret. 237 pore 
Every computer organization has traditionally viewed its 
situation as unique and has derived its security-related 
controls completely independently of other organizations, 


even those with similar fumecions- The result is that a 


plethora of controls and security postures, of varying forms 
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and degrees of effectiveness, exists throughout’ the 
industry. Because of the dearth of industry-wide commonali- 
ty, DOJ narrowed the scope of its search to only a few 
organizations that dealt with highly sensitive personal data 
and managed to identify 82 separate controls for different 
organizational levels and functions, including eight 
baseline controls that should be "management initiated." 

The National Bureau of Standards' approach to identify- 
ing essential security controls was different, even though 
its objectives and expected benefits were basically the 
same. The NBS attempted to identify a set of securitv 
controls bv naving indevendent research organizations, 
expert in computer crime, study actual criminal cases to 
identity the ccntrol measures that would have been necessary 
to prevent or detect the illegal activity. The NBS study 
identified 88 total controls, with only three listed as 
falling under the purview of "general management." (Ref. 


top p. ll, 12, 20} 


D. SPECIFIC TOP MANAGERIAL CONTROLS 

In the subsections that follow, specific top management 
controls needed to ensure the protection of sensitive com- 
puter assets are discussed, starting with those of DOJ and 
NBS. Then, other top managerial controls, as gleaned from 
pertinent literature, are considered. In essence, this 
section describes the DOJ and NBS skeletal frame-work of top 


Management-initiated controls. It then "fleshes out" that 
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framework by providing additional controls needed to manage 


the inherent dishonesty, negative motivational forces, and 


available opportunities that might cause/allow an otherwise 


good employee to become an amateur computer criminal. The 


controls that are discussed are listed in the following 


table (Table 7). 


bode 


NBSs 


Other: 


TABLE 7 


TOP MANAGEMENT CONTROLS 


Computer .Secumigy sOGmicer: 

Computer Security Management Committee 
Cooperation of Computer Security Orficers 
AGEDING SeCur i tyeneooOres CeoMmeeaencral 

Data Classirication 

rinmnancial Loss Contingency and Recovery Funding 
Separation and Accountability of EDP Functions/ 
Duties 


Adjustment/Correction Reporting 
Job Rotation 
Disaster Avoidance 


Guidelines for Ethical Decisionmaking 
Standards of Conduct 

* Gratuities 

Moonlighting 
Organizational Property 
Nonuse/nondisclosure 
Substance Abuse 

Gambling 

Employee Assistance Program 
"Whistle Blower" Policy 

EDP Auditor 


+ Fe FF Ft 


1. Top Management Initiated Controls (DOJ) 


The Department of Justice suggests the following 


controls. bewimmtiated. 


20 


a. “Genpucer=seeurity Office: 

The first of DOJ's eight top management- 
gnitiated controls is the "Computer Security Officer." It 
is described in DOJ's pamphlet, Computer Securuey 
Techniques, as follows: 


An organization with sufficient computer security re- 
sources should have an individual identified as a computer 
security officer. In small organizations, the individual 
appointed mav share this responsibilitv with cther duties. 
In large organizations, one or more full-time emelovees 
should be fas emec Commerce SeCculttew.) acminiscracion 
responsibilities. The computer security officer shculd 
Peedie were OOGemsta Elie 3rotection or security devartment 
covering the entire organization. This provides wrener 
Se0ee Of TessOonsicilicy for inrormaticn and its movement 
BeHeoughnout the croanization. HOmmocacelcal Surposes “Ege 
Semeteo t=  scoubiey (crficer. otten functions ic 
computer derartment. MED Gescrirecicns ars hichiv varza- 
ble; 2xampies mav be obtained trom many craanizat: : 
Satacllehee eomeurer security sfficers. f{Ref. 2 


may U 


Sl 
" —_ in 
Aa 


- + 
<, 
i 


a 
te ae when 


Lao 
Sia! 


inadequacy of system controls. Its main strength is that 
the security officer provides a focus for the formal 
development of a computer security program. Also, depending 
upon his or her hierarchical placement within the 
organization, top management's degree of support for the 
security effort may be conveyed to the entire firm. Working 
through the security officer, top management can ensure an 
effective security program without having to "micro manage" 
the effort. The two main weaknesses of the control are its 
relatively high cost and the fact that line managers may 
attempt to transfer their responsibility for security to the 


GOmputer security officer. [Ref. 23:p. 4-9] 
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A job description for the computer security 
officer should include, but not be limited to, the following 
duties: 

(1) Represent the EDP Organization. The 
security officer will function on behalf of the EDP manager 
as the point of contact for all aspects of EDP security. 
His or her position must be separated from the primary EDP 
operations so that it can remain totally objective. 

(2) Suspend EDP Operations. The security 
officer must cause total or partial suspension or opvnerations 
(depending on cChe situation) upon detecewon Of anv aceivi, 
wnicn Will afiect tne secumie ots cie "seenae one. The 
suspension wiii remain in effect until removed by the EDP 
manager. The secur¥ey O©f21¢625 MUuseeeemee7e0 Wee econ ave ger- 
ization to suspend access to any system subscriber. 

(3) Provide Written Directives. The security 
officer will prepare, distribute, and maintain plans, 
instructions, guidance, and/or standard operating procedures 
concerning the security of automated operations. He or she 
must also conduct periodic surveys to determine compliance 
with written standards. 

(4) Conduct Risk Assessment. The security 
officer must review threats and formally assess risks of 
vulnerabilities so that effective countermeasures may be 


employed. 


Ta 


(5) Provide LOR enysieal Security. The 


security officer should periodically conduct physical 
security surveys to ensure that computer assets are safe and 
secure in their physical setting. 

(6) Conduct Reviews and Evaluations. The 
security officer should review and evaluate the security 
impact of system changes, including interfaces with other 
automated systems. 

(7) eee vide for training. @ihe security officer 
should coordinate and monitor periodic security indoctrina- 
tion and training sessions ror all employees. 

(8) Advise Higqher-Level Managers. The security 
orficer snould stay avoreast of state-of-the-art security 
oractices and tecnnoiccgy and advise higher-levei management 
of cost-effective improvements in the security posture. 

(9) Review Reports. The security officer 
should conduct, from a security viewpoint, a daily review of 
audit trail and system management or user access reports. 

(10) Control System Access. The security 
officer will issue and control physical access authorization 
of personnel with a demonstrated requirement to enter the 
activity or site (including users, contractors, and mainte- 
nance personnel). This also includes the management and 
issuance of system passwords. 


(11) Retain Review Authority. The security 


officer should retain the capability to audit or review 
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ery file within the system without obtaining prior 
rmission from the file owner. [Ref. 2l:p. 4] 
b. Computer Security Management Committee 
The second DOJ» control, ss'Gonputer Secunia, 
nagement Committee," is described as follows: 


A high-level management committee is organized to 
develop security policy and oversee all security of infor- 


mation handling activities. The committee is made up of 
Management representatives from each of the parts of the 
organization concerned with information processing. The 


committee 1s responsible for coordinating computer 
security, reviewing the state of security, ensuring the 
Vislbliity of management's support of computer security 
througnout the organization, approving computer security 
reviews, receiving and accepting computer security review 


reports, and ensuring proper control interfaces among 
Organi zae On seuncerons. it snould act in some respects 
Similiar to a Board or Director's Audit Committee. Comput- 
er security reviews and recommendations for major controis 
should pe made to, and approved by, this committee. The 
conmiteee ensures Ehat orivacy ana SeCurity are saree 
the overail information nmandiineg olen. tie .Ges ae weer 


mittee may pve part of a larger activity within an organi- 
zation to carry out the function of information resource 
management. For example, in one research and development 
organization an oversight council made up of representa- 
tives from organizations that send and receive data bases 
from the R&D organization was established. They are 
charged with oversight responsibilities for the conduct 
and control of the R&D organization relative to the 
exchange of data bases. Especially important are ques- 
tions of individual privacy concerning the content of the 
data bases. [{Ref. 23:p. 4-9] 


The objective of this support is also to prevent 
ss of support for the security effort. In fact, the 


eering committee's major strength is that it visibly shows 


the dedication and support of top management for maintaining 


an 


Ne 


ac 


acceptable security posture. By mandating that 
mbership must cross all organizational lines, the security 


tivity will be more consistent across interfaces; better 
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attention will be paid to all #$information-processing- 
related functions; security can be considered within the 
context of other issues confronting the organization; and, 
policies and procedures can be more effectively enforced. 
Also, a committee approach can avoid the control of security 
by technologists who tend to be limited to technical solu- 
tions that may be more stimulating to them but more 
expensive and less effective to the organization. (Ree 
2s-pe 4-3) Finaliy, tnis control can meet the requirements 
Stoeme Gemputer security poiicy and control function or the 
Cvenail Securltyeprcgmam, discussed in thesorevious chapter. 
Guu C20ceRRe Lom cre@omputer Security Officers 

[emmeagrea TOD Management control of DOJ is 
Beege-Glc Gnome cempucer Securiiy eaBiticers." = #5 edes- 
cribed as follows: 

Maintaining an effective computer security function 
can be enhanced by exchange of information with computer 
security functions in other outside organizations. Local 
computer security organizations can be developed within a 
Give pabiwot ascitypeoreregaonally. Monthly or other 
periodic meetings of computer security officers can be 
held to exchange useful information and experience. A 
hotline communication capability can be established for 
exchange of information on an emergency basis to provide 
warning of possible mishaps or losses. It is important to 
limit the details of information exchanged to ensure that 
confidential controls information is not disseminated to 
Minami heammgedepaniwes. (Ref. 23ap. 4-11] 

This control is also an extension of the 
computer security officer control and has the objective of 


proactively strengthening the adequacy of system controls. 


By exchanging information with computer security officers of 


Lo 


other organizations, important knowledge and techniques may 
be gained in the most time- and cost-efficient basis 
possible. Also, security officers can strengthen their 
sense of professionalism by relating directly with others in 
their chosen career field. A weakness of this control is 
the danger inherent in too much information regarding an 
organization's security posture/problems becoming known to 
unauthorizeca persons. (ref. 23.3p. 4=3a However, that 
danger must be weigned against the poSitive aspects of 
sharing information. 
ad. Keeping Securtery™Keporcs Comertaeneran 

The Justice Derartment's fourth management- 
initiated control, "Keeping Security Resercs Genridencta 
1SMeeSCmweepec “as: 

Computer security requires the use and filing of 
numerous reports, including results of security reviews, 
audits, exception reports, documentation of loss inci- 
dence, documentation of controls, control installation and 
maintenance, and personnel information. These reports are 
extremely sensitive and should be protected to the same 
degree as the highest level of information classification 
within the organization. A clean desk policy should be 
maintained in the security and audit offices. All 
security documents should be physically locked in sturdy 
cabinets. Computer-readable files should be secured 
separately from other physically stored files and should 
have high-level access protection when stored in a 
computer. [{Ref. 23:p. 4-10} 

Although keeping security information under a 
high degree of protection makes the information difficult 
and time-consuming to use, it is nonetheless important to 


prevent taking, disclosure, or unauthorized use. It is also 


important because the security function must set the example 


7S 


for the remainder of the organization by appropriately 


caring for confidential information. [Ref. 23:p. 4-10] 
e. Data Classification 
tiie fitth control, "Data Classification," is 


gdeseribed as follows: 


Data may be classified at different security levels to 
produce cost savings and effectiveness of applying con- 
trols consistent with various levels of sensitivity of 


data. Some organizations maintain the same level of 
security for all data, believing that making exceptions is 
BOO costly. Other organizations may nave only smail 


amounts of data of a highly sensitive nature and find that 
applying special controls to the smali amount of data is 


@eost-effectiive. When data are classified, they may be 
M2AeCneams2eosan two or more levels, often referred to as 
generalmemntormation, Cent raecntial seantormation, secret 


MLO@m™eacte@m and Other higher levels or classification 
Hamed acecoreang werthe functlonal use of the data, sucn as 
meadGe wseCret> Gate, wanreported financial yoerformance, ¢étc. 
PRet. s28e"am 4-6] 

Mie chieceevemof thas control is, env leusiy, ==> 
prevent compromise of sensitive data. By treating data 
security requirements differently, according to the data's 
sensitivity level, and allowing access only on a need-to- 
know basis, an organization can most easily ensure that data 
is provided adequate protection but also that needed data is 
most readily accessible for legitimate purposes. Thus, this 
control allows the most cost-efficient balance between 
security and productivity requirements. A special consider- 
ation should be the danger of over or under classifying data 
and the fact that classification can easily result in exces- 


sive data handling/processing complexity. (Ref. 23:p. 4-6) 


it is alieo important to podamt out that classification of 
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data in a hierarchical scheme and access to it on a need-to- 
know basis is extremely hard to implement in practice. The 
only organization that has been able to do this is the 
federal government, which achieves it only by a process of 
segregated computer systems. 
f. Financial Loss Contingency and Recovery Funding 
The sixth control that should be implemented by 
top management is "Financial Loss Contingency and Recovery 
Funding" and is described by DOJ as follows: 

Self-insured organizations, such as government agen- 
cles, snould be assured of readily available emergency 
funds for contingencies and recovery. Specialized EDP 
insurance 1S availabie and snould pe conSicered when 
insurance covering other types or losses in a buSiness may 
NOt ago. crinancial risk protection shnoulam@eever @ass—e 


losses, pusiness interruption, and extra expenses result- 
inc: fae sontingencyvy recovery.  ©n¢anizee.ons see saa 


insured snoulic bona ail emplovees against traud in nich- 
risk areaS of data processing activivies. Blanket bonds 
W1ll mnermally cover this aceivac,- (Ref. 233. 4-5] 

This top management control was also discussed 
by the National Bureau of Standards, but as an element that 
should be included in the overall security program. Regard- 
less of its placement, the objective is to ensure that the 
organization can recover from a business interruption. The 
most cost-effective method of accomplishing this objective 
(for non-self-insuring organizations) is by gaining protec- 
tion and sharing economic risks with other companies, 1i1.e., 
through purchased insurance programs. However, insurance 


must not be allowed to become an alternative to good 


security discipline. [Ref. 23:p. 4-5] 


78 


g. Separation and Accountability of EDP 
Functions/Duties 


"Separation and Accountability of EDP 
Functions/Duties," the seventh DOJ control, is described in 


Gis manner: 


Holding managers accountable for the security in the 
areas they manage requires that these areas be clearly and 
explicitly defied so that there is no overlap or gaps in 
managerial control of EDP functions. EDP functions should 
be broken dewn into as many discrete self-contained 
activities as is practical and cost-effective tinder the 
elecumstances. Sesides velng a good general management 
principle to maintain high performance, it also vrovidés 
Peeeenoeos a eex D1 1 Sts Structure FOr assignment or csn- 
trols, resovonslbilityv for them, accountabilitv and a means 
Or measuring tne completeness and consistency orf neetinc 
all vulnerabilities acecuately. oe weli-derined 
Mee suneetons 41S0 facilitate Sse senaration of cutees 
ameng managers, aS is required in separaticn of duties cof 
employees. This reduces che level of trust needed for 
eacn manager. Mic fuUncetonsSmer authorization. custodysor 
assets, ana 2cccuntabiiccy sheuld be serarated Ec the 
extent vossibie. WRC iwe 2 Set Cceecoelel 


This control is designed to prevent loss of 
Support for the security effort and reduce the possibility 
of accidental or intentional acts resulting in losses. It 
forces the need for collusion among individuals who may 
attempt unauthorized activities. It enhances efficiency in 
EDP functions and inhibits the loss of control from 
migrating from one function to another. However, increased 
complexity of EDP functions could result from excessive 
separation of functions, making the application of individ- 
ual controls more difficult. Also, small shops may not have 
adequate numbers of employees to support extensive separa- 


taign oG"dubies= [Ref."23:p. 4-1] 
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Krauss and MacGahan expound upon the importance 
of this control, saying that it cannot be overemphasized. 
They believe that no single individual should have responsi- 
bility for the complete processing of any single or group of 
transactions. Further, there should be no way that a person 
could make an error or abusive act without being detected by 
some other person during the routine execution of that other 
person's responsibilities. Forcing dishonest emplovees to 
collude serves as a deterrence and prevention measure and 
increases tne likelihood of detection, since the greater 
number of veonvle -:nvolved means that mistakes are more 
propabple and the vresence of a vnarticular vscerson needed to 
perrorm a required manipvulation is less likelv as the 
consplrators' numpers increase. (Ret. L2 oo... aoa 

h. EDPERAUCIL COT 

The eighth and final control measure that DOJ 
suggests top management of any organization should employ as 
a security measure to protect its computer assets is the 
"EDP MAUdI tors" Since the EDP auditing function is one of 
the most important controls and because it 1S used as a 
feedback mechanism to top management on the effectiveness of 
the other measures, discussion of it will be held until all 
other top management eencaome have been conSidered. 

2. Top Management Initiated Controls (NBS) 
The discussion will now turn to the three control 


measures that the National Bureau of Standards identified as 
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worthy of top management initiation. These include the 
pel Wvewing factors. 
a. Adjustment/Correction Reporting 

The first, "Adjustment/Correction Reporting," is 
described by NBS as: 

Policy, procedures, and software to provide reports of 
adjustment/correction transactions covering the sphere of 
influence for each manager. For example, any modifica- 
tion, updates, deletions, or other changes to the payroll 
master file should be reported regularly to the manager of 
BavVEoiil systems for Ais information and action. fRef. 
>> p82) 

Tels conmepe® is actually an extension of the 
Pecparacion ange Accountability of EDP Functions/Duties" 
GEMErel aesememeeds Dy DOJ. It is important because error 
corrections and adjustment transactions are initiated in 
reaction *o axXisting ocoreblems and are often not subjected to 
appropriate and adequate control procedures. Such situa- 
tions provide an opportunity for the dishonest employee to 
perpetrate fraud by preparing and submitting improper or 
Peete O“SGmeiansactionses If net controlled, such fraudulent 
transactions may never be detected. [Ref. 12:p. 106] 

b. Job Retation 

The second of NBS's top management controls, 

"Job Rotation," is described as: 
Policy and procedures to periodically rotate those posi- 
tions that have a great deal oof authority among 
individuals in the data handling process. For example, 
the position responsible for address changes should be 
assumed by new persons periodically and without notice. 


The new person's first responsibility would be to verify 
the integrity of the file. [Ref. 15:p. 82] 


on 


The reason that unannounced duty rotations 
should be standard procedure is that the practice serves as 
a deterrence to abuse and to collusion. If a person is 
aware that he or she, without notice, is likely to be asked 
to switch jobs, he or she will be less inclined to begin to 
fraudulently manipulate the system, because the fruits of 
the manipulation will often remain for long periods and be 
discovered by the replacement. Also, other individuals will 
be less likely to collude, because they know that job rota- 
tions mean that still other people must be brought into the 
scheme and, hence, the collusion becomes expanded and more 
risky. (Ret. 12:p. 123i Anytime that an individual resists 
rotating rrom a sensitive computer position. foul plav 
should ve suspected until the vcerson's reason for resistance 
can be checked out. 

c. Disaster Avoidance 

The third of NBS's three management-initiated 
security controls, "Disaster Avoidance," deals mostly with 
ensuring that the physical plant is protected. It is des- 
cribed as: 

Policy that facilities, both central and remote, are to be 
designed and constructed (or modified) so as to provide 
Maximum protection against natural disasters and against 
persons intent on destroying physical or intellectual 
property. [Refs 15s pss) 

Physical security measures are generally beyond 


the scope of this paper. However, some aspects of this 


control do pertain to protecting a computer system against 
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internal abuse. These include designating certain areas, 
Swe as “the computer room, data library, and software 
development areas, as Or f Seaman s ” to unauthorized 
personnel; eliminating non-essential doors and controlling 
access to those considered essential; utilization of identi- 
fication badges; and enforcing visitor controls. While much 
of these measures clearly falls within the controlling 
province of EDP management and below, general policies and 
eueraetines “hac elassity and/or specify expectations of tov 
management are not out of order. 
3. Other Ton Management Initiated Controls 
In addition ts the eleven controis discussed above, 


tnere are others tnat are important for too management to 


Mmemerat-> Lot Srcer <tc complete the computer GBecurityv frame- 
work. Several of these are discussed in the following 
paragraphs. Because different organizations will require 


the implementation of different top managerial controls and 
because there are literally dozens of such controls from 
which to choose, the following discussion does not attempt 
to cover all the possibilities. Rather, it covers the 
additional top management controls that appear most widely 
addressed in the literature, that are appropriate to safe- 
guard the assets of most computer organizations, and/or that 
seem especially pertinent © a computer system's 


environment. These controls include the following features. 
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a. Guidelines for Ethical Decisionmaking 

The first of these controls is called "Guide- 
lines for Ethical Decisionmaking." This control” ie 
necessary to counter the four rationalizations that may 
persist in all organizations and cause employees to act 
unethically. It must be designed to address the following 
Situation, as stated by Gellerman: 

How can managers avoid crossing a line that is seldom 
precise? Unrertunately, most know that they nave over- 
stepped 1t oniv wnen they nave gone too rar. They nave no 
reliable cuidelines about what will Se overicoked or 
tolerated or wnat will be condemned or attacxed. [mer 
I33CO: cumes | 

the solution “ts "his Situation iS £or Hee 
management co estabpiisn sveciric anda unquestionable guide- 
tines for ethical benavicr. The line setween orcver and 
improper conduct must oe made exactingly precise oy stating 
clearly the bounds within which decisions must be made. 
When employees must operate in murky borderlands, top 
management is obligated to force them to trust in and employ 
the most reliable guideline of all: when in doubt, don't-- 
especially until the legality of the situation can be 
Clarified. [Ref. 13:p. 89] 

Also, senior executives are responsible to draw 
the line between loyalty to the company and action against 
the laws and values of society in which the company must 
operate. Further, because the line may become obscured in 


the "heat of the moment," it must be drawn well short of 


where reasonable men and women could begin to suspect that 
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their rights have been violated (and especially well short 
of the point at which a prosecutor might consider an 
indictment iS warranted). Finally, and most importantly, 
top managers must stress that excuses of company loyalty 
Will not be accepted for criminal or unethical behavior. 
They must make it clear that employees who harm other 
people, even allegedly for the company's benefit, will be 
fired. (Ref. 132p. 90] 
bee “Standards of Conduct 

The next top management control to be discussed 
tome Standards sof Conduce. " Because this control mechanism 
1s very lmportant to the security effort, it is considered 
in some detail. In Chapter III, the discussion on ethics 
Memerenmed s6hac escablishing a Code of ethics can greatly 
assist top executives in managing the security effort. It 
can, too, and a strong ethical environment, as stated, is 
absolutely essential if the computer assets are to be 
secure. However, top managers would not only be naive but 
also big losers if they believed that a code of ethics or 
strong sense of ethics would be sufficient to protect their 
computer system: 

One of the most troubling aspects of the .. . case is 
the company's admission that those involved were thorough- 
ly familiar with the company's ethical standards before 
the incident took place. This suggests that the practice 
of declaring codes of ethics and teaching them to managers 


ieeenot seneugn to deter unethical conduct. Something 
stronger is needed. [(Ref. 13:p. 90] 
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That "something stronger" is a Standards of 
Conduct, which is significantly different from a Code of 
Ethwes: The code deals more with normative issues. Tae 
explains that which "should be" versus that which "is." 
Ethical codes are based on trust and derive their strength 
by appealing to one's sense of professionalism and moral 
obligations to do that which is right. 

Standards of Conduct, on the other hand, deal 
more straightforwardly with the reality of the workplace. 
As seen in the description of the "enemy," employees (even 
normally honest ones) do sometimes face situations that mav 
cause them to look beyond ethical means for solutions. 
Properly designed Standards of Conduct will not onlv speci- 
ficaliy wroscribe centain behaviors) but wilt) eleeomeauae 
tempted workers to think long and hard before committing 
themselves to abusive acts, i.e., the standards serve as a 
strong deterrent as well as a preventive control. 

In order for Standards of Conduct to serve these 
dual purposes, they must possess something that Codes of 
Ethics normally lack: "teeth." This means that Standards 
of Conduct must have built-in enforcement mechanisms. If an 
employee violates a standard, he or she should be disci- 
plined commensurate with the seriousness of the violation. 
The measures taken may range from simple "wrist slapping" to 
dismissal and should always include criminal prosecution if 


warranted. Further, the discipline should be administered 
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according to the "hot stove" rule, as described by Stephen 
Rebpbiis: it should be immediate, consistent, and 
1mpersonal. (Ref. 24] Also, Shee iy important for a 
computer systems environment, news of the situation and the 
disciplinary action taken should be widely disseminated as a 
deterrence to others and to counter the notion, mentioned by 
William Starfire, that computer crime is safe crime. 

Inherent in the discussion of enforcement of 
Standards of Conduct are two other issues that are worthv of 
Noes. rirst, the standards will onlv be as effective as 
they are made to de. Often companies will specifiy 
rormalized, written standards, but then thev do tittle to 
review for compliance. However, unless the standards 23re 
Gloseivy menitored tc ensure compliance, fFhey will tbe 
useless. This policy compliance feedback mechanism must be 
designed into the system and checked closely by internal and 
external auditors. 

Second, employees must be well versed in the 
specific details of the standards. This is crucial if the 
standards are to be enforceable. Many organizations require 
that all newly assigned or newly hired personnel be trained 
in the Standards of Conduct soon after arrival. Thereafter, 
they must review the standards on a periodic basis (fre- 
quently annually). After training or reviewing, employees 
are required to sign a statement acknowledging that they 


understand and will comply with the provisions of the 
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standards. The signed acknowledgement has ae strong 
deterrence value and clearly eliminates ignorance as an 
excuse for standards icilaiones 

The “Standards of Conduct" contxrolmuis) actual, 
an "umbrella" control under which top management can specify 
other more specialized or ad hoc controls that it sees are 
needed to manage high-potential problem areas or situations 
that may arise unexvcectedly. There are many such controls 
that are at management's disposal. Some of these avnvliv 
especially to a computer environment and shouid be included 
by top management in any oublished Standards of Conduct for 
an organization thet. employs eleceronic information geyee-7-- 
These include the following measures. 

(2) Ceabwieces: ene gaving and veceivingeaies 
gifts between customers and vendors, regardless of the 
stated reasons, are bribery if either party or both parties 
stand to benefit as a result of the "gift." Receiving or 
giving gifts as part of business operating procedures must 
be strictly prohibited. This control should also specifi- 
cally address the receipt of gifts from business associates 
by family members of company employees. 

(2) Moonlighting. "Moonlighting on the jeer" 
or engaging in secondary income activity while employed ina 
full-time position, costs American businesses a significant 
and growing portion of the estimated $160 billion spent each 


year on employees' deliberate waste of on-the-job time. 
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There are four compelling reasons why moonlighting should be 
curtailed from an EDP environment: it causes reduced per- 
formance; encourages unauthorized use of resources; repre- 
sents potential conflicts of interest; and affects employee 
metale. jRef. 26) 

Even if circumstances do not allow moon- 
lighting to be totally prohibited, it should be publicly 
discouraged and strictly controlled. If the second job 
appears to interrere with the employee's on-the-job perform- 
gee wom ln te 1s such that conflicts of interest are 
likely, tnen permission to moonlight should be denied. te 
is esveciaily important in a computer systems environment 
that workers wno deai wltn sensitive assets or functions not 
Gepeebevec = ce, 0eGnomn simzlar Lunctions in other organiza- 
tions. This is because of the natural tendency to illegally 
transfer proprietary information/assets away from the parent 
organization (in effect, to pirate them for use on the 
second job). 

While moonlighting on the job is insidious 
to an organization, moonlighting per se may not be. It is 
thus important that every organization derive a moonlighting 
policy and guidelines that are appropriate for its particu- 
lar circumstances. According to Jeffrey Davidson, however, 
all firms must include in their guidelines statements that: 

1. Spell out the conditions under which top management 


will approve, disapprove or be neutral toward 
moonlighting (e.g., it may applaud teaching at local 
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colleges or lending skills to government service but 
"frown upon" working for a competitor). 


2. Classify whether in-house telephones, secretaries, 
copy machines, or computers can be used for outside 
purposes. 

3. Leave no doubt in anyone's mind concerning expected 
job performance and steps that will be taken if moon- 
lighting causes performance to decline. [Ref. 25] 

(3) Organizational Property. Organizational 


property should only be used in the direct pursuit of legi- 
timate, organizational pusiness. Guidelines to clarify this 
fact are especially important to a firm cperating a computer 
system necause ownersnid of property _ is frequently moc 
Clear. The tnecividual developer Of sawolteco ct Sort va sae 
example, may feel that the @emal sroduct is tease. 
sonal property, vice crganizational, because ne/she perhaps 
spent many ozi-duty naAours in completing. it. The laws 
governing such cases are not always clear, and many cases 
are decided in court. To prohibit any misunderstandings, 
top management must specify, in terms that cannot be miscon- 
strued, that property which comprises organizational assets. 
As much as possible, such assets should be marked as organi- 
zational property. Also, it is wise that top management 
issue a policy that all fruits of all employees' work- 
related efforts will be considered company-owned property. 
This will put the obligation to prove individual ownership 
on the shoulders of those who claim otherwise and will cause 


questionable cases to be decided individually. 
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(4) Nonuse/Nondisclosure. All computer person- 
nel and all employees who possess and use confidential 
meomeeen and trade secrets or those who may find them- 
selves in a position in which conflicts of interest may 
arise should be required to read a policy explaining legiti- 
mate use and disclosure of the company's valuable informa- 
tional assets. The statement should explain specifically 
that confidential information can be used only in the con- 
text of one's immediate, leqitimate job-related activities. 
AS a condition of emolovment, emplovees should ce recuired 
to sign a statement acknowledaing their understanding of the 
polm@ey and tnelr agreement to comply with it. Ret. Gi > 5. 
65] 


( 


Gh 


) Subs tamcemAbuse™ Bee usewor @llecal G@rnidas 
or the abuse of prescribed drugs and/or alcohol must be 
proscribed from the workplace. Also, substance abuse away 
from the job that affects on-the-job performance/behavior 
must be strictly controlled. While managerial controls 
should only focus on those activities that are job-related, 
it is important to note that substance abuse has frequently 
been found to be a root cause of identified computer systems 
abuse. Thus, those individuals who are suspected of abusing 
drugs should be considered unreliable and denied access to 
sensitive information and processes until their reliability 


can be reestablished. In this regard, the employment of 
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urinalysis testing 1s becoming much more widespread and 
should be considered as a control and verification tool. 

(6) Gambling. Any form of gambling should be 
strictly prohibited from occurring on organizational proper- 
ty. Also, individuals who are known to be heavily involved 
in gambling should be monitored closely and, in some cases, 
offered counselling services. If knowledge of indebtedness 
also surfaces, thev should be removed from having access to 
sensitive, valuable assets until the matter is resolved. 

Cc. Emplovee Assistance Program 

The "Emplovee Assistance Proqran" is another tcp 
management control that snould be emploved to help safecuard 
sensitive comouter svstems. Of all the controls discussed 
so faz. Ene Emplovee Assistance Progqmam (BAP’ is potential#y 
one of the most rewarding, because it will be viewed most 
favorably by employees and offers the opportunity to deter 
computer abuse and provide more stability, productivity and 
higher morale in the workplace, all at the same time. It is 
a proactive, pro-worker measure that has been gaining in 
popularity in businesses across the country as they attempt 
to combat theft and high rates of absenteeism and turnover. 
Today, 60% of the Fortune 500 companies employ some form of 
internal or external EAP. They are finding it less expen- 
Sive and more beneficial to get their employees help them to 


"lose" them. {(Ref. 26] 
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Employee Assistance Programs help workers by 
providing them with counselling for everything from domestic 
problems to drug abuse {[Ref. 27] They are especially 
effective in EDP organizations, because they offer a place 
for troubled workers to seek help for that "unshareable 
problem" that often causes them to turn to illegal means for 
solutions. The EAP can also counter the extremely high 
levels of stress that are inherent in EDP positions, as well 
as "burnout," disgruntlement, and substance abuse that can 
lead employees into amateur crime. 

Ces Whiist WemB ewer") Policy 

Another top management control for ensuring the 
security of a computer system against internal threats in 
Che “Whisctiscwlower Policy." Whistle »iowling can be an out- 
standing weapon for top management to use in battling 
computer abuse, but it must be employed properly. As Stoner 
Says, the practice is often discouraged because it ". 
usually embarrasses management and can be done with impunity 
only when the whistle blower is leaving the organization 
Volancarilen" [{Ref. l7aps. 69] 

However, this does not have to be the case. If 
top management is proactively employing the security program 
and controls already discussed in this paper, instances of 
whistle blowing should be rare and can be viewed not as an 
embarrassment but as a sign that the security effort is 


working properly. As part of their management of the 
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ethical environment, if top management were to encourage 
whistle blowing and guarantee in words and deed that the 
whistle blower would be protected against reprisal, then the 
practice would gain in popular acceptance and would be a 
viable deterrence against abuse (this assumes, of course, 
that top management iS viewed as trustworthy in its own 
rignt) 

Deterring abuse in government by changing the 
"Flavor" or whistle blowing is the motive behind a bill that 
1s currently pending berore the Senate (1% has already been 
passea by the House or Representatives). The @5i11° Yrs 
designed to remove tne stigma that may pe associated with 
whistle blowing and to promote the practice bv assuring a 
"firm ana SWLEt investecation”" into alleqations and 5v 
providing protection for the whistle blower against possible 
reprisal. According to the sponsor of the bill, whistle 
blowers are patriots, not troublemakers, and they should be 
treated as such. [Ref. 28] By viewing and treating whistle 
blowing in the same positive manner prescribed by the 
pending legislation, any organization would undoubtedly reap 
large benefits not only in the form of detecting crimes but 
also in deterring abusive behavior. 

e. EDP Auditor 

The final top management control that will be 

discussed as a tool for securing a sensitive computer system 


is the “EDP Auditor." As mentioned earlier, this control 
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waS identified by the Department of Justice as one that 
should be initiated by top management. It ". . . can be ae 
of the most effective countermeasures a company has in its 
total system of safeguards to prevent, detect, and deter 
Gompucer f[abuse]." (Ref. 12:p. 222] It is also one of the 
Singular most important top management controls because it 
is implemented with the specific intent of overseeing all 
the other security ccuntermeasures. A detailed discussion 
of this control would require a book and is bevond the scone 
of this vaper. However. there are two important aspects of 
PeeMavele@nawenae are Parcicularly worthy of top managerial 
consideration. 

First, it is verv important for too management 
Me escolZeon weal Scr SDP auc@elng co Se effective it will 
require large doses of the highest level support. This is 
true for at least two reasons. These include the fact that 
EDP auditing has received a tremendous amount of criticism 
in the past and that EDP auditing is extremely time and 
resource consuming and will be seen as an especially vibrant 
albatross to organizational progress. 

According to Krause and MacGahan, EDP auditing 
has been heavily criticized by more than a few experts in 
the EDP security field. These experts contend that EDP 
auditors lack the necessary training and tools to do an ade- 
quate job, especially in the area of identifying on-going 


computer fraud. This criticism appears not to be without 
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merit. [Refies “= h2S' ps Zizza The significance for top 
management is that it must take steps to ensure that the 
organization's internal auditing section receives the 
training and tools necessary to make it proficient in 
auditing computer systems. 

Making the EDP auditing function more palatable 
to an organization's processes is extremely important to the 
auditor's success and represents the second reason that tov 
level support ror the control 1S mandatory. Computer 
systems auciting basically serves two roles in an organiza- 
tion: a reactive role in WH®ch "ile checks or Vverwries @e.c 
erficiency/erfectiveness of otner controls, tne overal= 
security program, and in fact of the computer system, 
1tSselir; anc, eae preactive sole Of Wheeh BE siayscwen seca 
part in the design and implementation of individual EDP 
processes. This latter role is one that will not be favor- 
ably viewed by other elements of the business. Everything 
mentioned previously about the fettering of productive 
effort by security mechanisms seems magnified when one con- 
Siders EDP auditing. 

There is a vast difference between EDP auditing 
and traditional auditing--EDP auditing is newer and is 
generally considered a much more difficult process. While 
traditional auditing has physical records that establish 
traceable audit trails, the same is not true of EDP audit- 


Inge In many cases, the audit trails of EDP functions 
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disappear, literally, at the speed of light as_ the 
electronic pulses change or, perhaps, as the computer is 
tumned “Cert ; In other words, there is inherently no physi- 
cal, tangible record, in many cases, that can later be 
inspected or audited. 

Thus, auditing process functions must be built 
right into other operational aspects of the system. This 
entails a lot or work and resources and generally compounds 
an already comolex problem. For example, consider that 
adding functions to establish audit trails in an anplica- 
tions program may require hundreds of lines of code in 
addition to the hundreds that the software application 
1tself may require. Plus, to be most effective at ensuring 
that the audit needs are met, the internal auditors shouicd 
be actively involved in the design (especially early design) 
and should have authority to approve or disapprove many 
aspects of the system as it is developed. In such a situa- 
tion, it is not hard to imagine the organizational problems 
that may exist as the system developers fight with the 
auditors over control of the developers' project. Without 
active support of top management, the required auditing 
features are likely to be dropped or amended, especially as 
time constraints begin to take their toll (as they generally 
dove 

The second aspect of EDP auditing that is espec- 


ially worthy of top managerial consideration is’ the 
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frequency with which the system should be audited. As 


Gellerman commented, "Simply increasing the frequency of 
audits and spot checks is a deterrent... ." (Ref walker. 
90] However, increasing the frequency of audits is no 
Simple matter, because audits are very expensive. Top 
management must, therefore, determine the most’ cost- 


effective approach to dealing with systems’ security 
problems. It may employ the reactive (yet cheaper) "big 
stick" method of resolving problems that are discovered, or 
it may employ the more expensive and more proactive tech- 
nique of making frequent audits designed to deter crime from 
occurring in the first place. (Ref. 13:0D.. 9:Ge] 

The final approach taken will likely consist of 
some balance between tne two methods. Regardless. tnere ara 
two ways in which top management can make its auditing 
control more effective. First it should not only increase 
the frequency of audits to the greatest extent that is eco- 
nomically feasible, but it should also schedule the audits 
irregularly, making at least half of them unannounced and 
setting up some checkups soon after others. Second, if the 
audits do detect a trespass, top management should announce 
the misconduct and the punitive actions taken. [Ref. 13:p. 
90] Recall that the amateur computer criminal fears most 
unanticipated detection and public disclosure of his or her 


acts. By designing the auditing process so as to most 
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effectively exploit this fear, the control will realize its 


fullest deterrence potential. 
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Vi. CONGESTION 


The enormous losses suffered by American organizations 
through computer abuse can be greatly reduced if a well- 
planned and coordinated security effort is anpUevaa . Ron 
Weber suggests that a common sense approach which breaks the 
security process down into seven separate levels cf controls 
can greatly facilitate the effort. The controls range from 
the broad-based and aontechnical measures of ‘tne outer 
lavers or Weber's security “onion” €o the very technica eae 
expensive controls emvloved at the inner lavers. The inner 


lavers of controls and. hence, the securitv effort itsel=. 


O 
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will onty be as ettective asV Ene Suter weyers SF Come 

This paper agrees with Weber's thinking and discusses 
his outermost layer of controls, those prescribed by top 
management of an organization. In essence, it describes 
those things that top management must consider and the 
things it must do in order to. ensure the security of its 
sensitive information systems against internal abuse. It, 
first, provides a profile of the "enemy" against whom the 
computer system must be protected. Although there has been 
identified six different types of computer criminals, and 
each type, to some extent, poses a threat to organizations' 
computer assets, it was found that organizational employees 


constitute the greatest danger to computer systems. These 
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individuals, called amateur computer criminals, may be some 
of the business' best performers but, because they have some 
"unshareable" problem, they may turn to illegal acts for 
what appears to be the most expedient resolution. 

The focus then turns to a discussion of how an ethical 
business environment is especially important to the security 
of computerized assets. Four rationalizations that cause 
managers to act unethically were presented. Tt was shown 
how allowing widespread employment of these rationalizations 
may be particularly detrimental in computer organizations 
because of the expanded size of the workforce in vositions 
Or trust. It was shown now and why top management must lead 
the way in overcoming the tendency to rationalize and to act 
ume Timea] 1 ve 

After top management has a firm grasp of the "enemy" and 
has instilled the appropriate ethical environment, it must 
then take an active role in the formulation of the overall 
security program for the organization. Top management's 
active participation in this process is vital for several 
reasons. Without its support, security control measures 
will not be accepted since they inherently stifle productive 
effort. Also, since security controls are expensive in both 
direct and indirect costs, top management must take an 
active role in determining the appropriate level of security 
necessary for the individual organization. Finally, the 


overall security program serves as the framework within 


OA: 


which all the other control mechanisms can and will func- 
Clem, Thus, the computer security effort will only be as 
good as the overall security program. 

After top management has ensured the establishment of 
the appropriate overall security program, it then must 
prescribe its own more specific security controls and ensure 
that lower management levels of Weber's security "onion" do 
likewise. The controls necessary for top management 
initiation have, to a great extent, peen provided by the 
Department or Justice and the National Bureau of Standards. 
They and others presented in Chapter V osoasically serve as an 
extension or the framework of the overall security program 
and may cover any situation that top management sees as 
needing special attention in tne erfort toe secure the 


organization's information systems against internal abuse. 
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